From 535ab2d4f9bd2c6dc2524e91cec436aa3a9d5452 Mon Sep 17 00:00:00 2001 From: Jorge Morales Pou Date: Tue, 6 Aug 2024 22:42:58 +0200 Subject: [PATCH 01/11] Working but not configurable --- .../custom/00-remove-toplevel-values.yaml | 2 + .../infrastructure/custom/educates.lib.yaml | 2 + .../eks/00-remove-toplevel-values.yaml | 2 + .../infrastructure/eks/educates.lib.yaml | 2 + .../generic/00-remove-toplevel-values.yaml | 2 + .../infrastructure/generic/educates.lib.yaml | 5 +- .../gke/00-remove-toplevel-values.yaml | 2 + .../infrastructure/gke/educates.lib.yaml | 2 + .../kind/00-remove-toplevel-values.yaml | 2 + .../infrastructure/kind/educates.lib.yaml | 8 +- .../vcluster/00-remove-toplevel-values.yaml | 2 + .../infrastructure/vcluster/educates.lib.yaml | 5 +- .../_ytt_lib/packages/educates/00-schema.yaml | 3 + .../_ytt_lib/packages/educates/08-lookup.yaml | 7 ++ .../_ytt_lib/lookup-service/00-package.star | 55 +++++++++ .../upstream/clusterrolebindings.yaml | 28 +++++ .../lookup-service/upstream/clusterroles.yaml | 52 +++++++++ .../upstream/crd-clientconfig.yaml | 49 ++++++++ .../upstream/crd-clusterconfig.yaml | 64 ++++++++++ .../upstream/crd-tenantconfig.yaml | 109 ++++++++++++++++++ .../lookup-service/upstream/deployments.yaml | 34 ++++++ .../lookup-service/upstream/ingresses.yaml | 20 ++++ .../lookup-service/upstream/rolebindings.yaml | 14 +++ .../lookup-service/upstream/roles.yaml | 53 +++++++++ .../lookup-service/upstream/secrets.yaml | 9 ++ .../upstream/serviceaccounts.yaml | 16 +++ .../lookup-service/upstream/services.yaml | 13 +++ .../bundle/config/ytt/values-schema.yaml | 3 + carvel-packages/installer/config/images.yaml | 2 + .../pkg/config/installationconfig.go | 6 + vendir.lock.yml | 6 + vendir.yml | 9 ++ 32 files changed, 584 insertions(+), 4 deletions(-) create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/00-package.star create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clientconfig.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clusterconfig.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-tenantconfig.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/deployments.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/ingresses.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/rolebindings.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/roles.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/secrets.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/services.yaml diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml index c1234be7..9e9dca9a 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml @@ -44,3 +44,5 @@ workshopAnalytics: websiteStyling: #@overlay/remove imagePuller: +#@overlay/remove +lookup: \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml index 0ef29fb7..c50b3d31 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml @@ -160,4 +160,6 @@ websiteStyling: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: imagePuller: #@ data.values.imagePuller +#@ if/end hasattr(data.values, "lookup") and data.values.lookup != None: +lookup: #@ data.values.lookup #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml index c1234be7..9e9dca9a 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml @@ -44,3 +44,5 @@ workshopAnalytics: websiteStyling: #@overlay/remove imagePuller: +#@overlay/remove +lookup: \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml index 0ef29fb7..c50b3d31 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml @@ -160,4 +160,6 @@ websiteStyling: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: imagePuller: #@ data.values.imagePuller +#@ if/end hasattr(data.values, "lookup") and data.values.lookup != None: +lookup: #@ data.values.lookup #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml index c1234be7..9e9dca9a 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml @@ -44,3 +44,5 @@ workshopAnalytics: websiteStyling: #@overlay/remove imagePuller: +#@overlay/remove +lookup: \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml index 794f579e..c50b3d31 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml @@ -1,5 +1,6 @@ #@ load("@ytt:data", "data") +#! TODO: Customize certs name reference in eks #@ def copy_all_educates_values(): #@ if/end hasattr(data.values, "imageRegistry") and data.values.imageRegistry != None: @@ -71,7 +72,7 @@ trainingPortal: username: #@ data.values.trainingPortal.credentials.admin.username #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "password") and data.values.trainingPortal.credentials.admin.password != None: password: #@ data.values.trainingPortal.credentials.admin.password - #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.admin != None: + #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.robot != None: robot: #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "username") and data.values.trainingPortal.credentials.robot.username != None: username: #@ data.values.trainingPortal.credentials.robot.username @@ -159,4 +160,6 @@ websiteStyling: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: imagePuller: #@ data.values.imagePuller +#@ if/end hasattr(data.values, "lookup") and data.values.lookup != None: +lookup: #@ data.values.lookup #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml index c1234be7..9e9dca9a 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml @@ -44,3 +44,5 @@ workshopAnalytics: websiteStyling: #@overlay/remove imagePuller: +#@overlay/remove +lookup: \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml index 0ef29fb7..c50b3d31 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml @@ -160,4 +160,6 @@ websiteStyling: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: imagePuller: #@ data.values.imagePuller +#@ if/end hasattr(data.values, "lookup") and data.values.lookup != None: +lookup: #@ data.values.lookup #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml index c1234be7..9e9dca9a 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml @@ -44,3 +44,5 @@ workshopAnalytics: websiteStyling: #@overlay/remove imagePuller: +#@overlay/remove +lookup: \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml index 41817d0f..c50b3d31 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml @@ -1,5 +1,6 @@ #@ load("@ytt:data", "data") +#! TODO: Customize certs name reference in eks #@ def copy_all_educates_values(): #@ if/end hasattr(data.values, "imageRegistry") and data.values.imageRegistry != None: @@ -28,10 +29,11 @@ clusterIngress: tls.crt: #@ data.values.clusterIngress.tlsCertificate["tls.crt"] #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.key") and data.values.clusterIngress.tlsCertificate["tls.key"] != None: tls.key: #@ data.values.clusterIngress.tlsCertificate["tls.key"] + #! TODO: Customize certs name reference in eks + #! projectcontour/wildcard #@ if/end hasattr(data.values.clusterIngress, "tlsCertificateRef") and data.values.clusterIngress.tlsCertificateRef != None: tlsCertificateRef: - #@ if/end hasattr(data.values.clusterIngress.tlsCertificateRef, "namespace") and data.values.clusterIngress.tlsCertificateRef.namespace != None: - namespace: #@ data.values.clusterIngress.tlsCertificateRef.namespace + namespace: #@ (hasattr(data.values.clusterIngress.tlsCertificateRef, "namespace") and data.values.clusterIngress.tlsCertificateRef.namespace != None) and data.values.clusterIngress.tlsCertificateRef.namespace or "projectcontour" #@ if/end hasattr(data.values.clusterIngress.tlsCertificateRef, "name") and data.values.clusterIngress.tlsCertificateRef.name != None: name: #@ data.values.clusterIngress.tlsCertificateRef.name #@ if/end hasattr(data.values.clusterIngress, "caCertificate") and data.values.clusterIngress.caCertificate != None: @@ -158,4 +160,6 @@ websiteStyling: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: imagePuller: #@ data.values.imagePuller +#@ if/end hasattr(data.values, "lookup") and data.values.lookup != None: +lookup: #@ data.values.lookup #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml index c1234be7..9e9dca9a 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml @@ -44,3 +44,5 @@ workshopAnalytics: websiteStyling: #@overlay/remove imagePuller: +#@overlay/remove +lookup: \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml index 794f579e..c50b3d31 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml @@ -1,5 +1,6 @@ #@ load("@ytt:data", "data") +#! TODO: Customize certs name reference in eks #@ def copy_all_educates_values(): #@ if/end hasattr(data.values, "imageRegistry") and data.values.imageRegistry != None: @@ -71,7 +72,7 @@ trainingPortal: username: #@ data.values.trainingPortal.credentials.admin.username #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "password") and data.values.trainingPortal.credentials.admin.password != None: password: #@ data.values.trainingPortal.credentials.admin.password - #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.admin != None: + #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.robot != None: robot: #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "username") and data.values.trainingPortal.credentials.robot.username != None: username: #@ data.values.trainingPortal.credentials.robot.username @@ -159,4 +160,6 @@ websiteStyling: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: imagePuller: #@ data.values.imagePuller +#@ if/end hasattr(data.values, "lookup") and data.values.lookup != None: +lookup: #@ data.values.lookup #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-schema.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-schema.yaml index 69501c6b..539a07ad 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-schema.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-schema.yaml @@ -263,3 +263,6 @@ imagePuller: #@schema/default ["base-environment"] prePullImages: - "" + +lookup: + enabled: true \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml new file mode 100644 index 00000000..295d96c2 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml @@ -0,0 +1,7 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:library", "library") +#@ load("@ytt:template", "template") + +#@ if data.values.lookup.enabled: +--- #@ template.replace(library.get("lookup-service").with_data_values(data.values, plain=True).eval()) +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/00-package.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/00-package.star new file mode 100644 index 00000000..a449d45d --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/00-package.star @@ -0,0 +1,55 @@ +load("@ytt:data", "data") +load("@ytt:base64", "base64") +load("@ytt:json", "json") + +def xgetattr(object, path, default=None): + def _lookup(object, key, default=None): + keys = key.split(".") + value = default + for key in keys: + value = getattr(object, key, None) + if value == None: + return default + end + object = value + end + return value + end + + return _lookup(object, path, default) +end + +def image_reference(name): + registry = xgetattr(data.values, "imageRegistry.host", "registry.default.svc.cluster.local") + if xgetattr(data.values, "imageRegistry.namespace", "") != "": + registry = "{}/{}".format(registry, data.values.imageRegistry.namespace) + end + image = "{}/educates-{}:{}".format(registry, name, data.values.version) + for item in data.values.imageVersions: + if item.name == name: + image = item.image + break + end + end + return image +end + +def image_pull_policy(image): + tag = image.split(":") + always = len(tag) <= 1 or tag[-1] in ["latest", "main", "master", "develop"] + return always and "Always" or "IfNotPresent" +end + +def image_pull_secrets(): + return [item["name"] for item in data.values.clusterSecrets.pullSecretRefs] +end + +def docker_config_json(host, username, password): + return json.encode({ + "auths": { + host: { + "auth": base64.encode("{}:{}".format(username, password)) + } + } + }) +end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml new file mode 100644 index 00000000..c6bc6777 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml @@ -0,0 +1,28 @@ +--- +#! Cluster role bindings for the lookup service. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: educates-lookup-service +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: educates-lookup-service +subjects: +- kind: ServiceAccount + name: lookup-service + namespace: educates-config +--- +#! Cluster role bindings for the remote access. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: educates-remote-access +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: educates-remote-access +subjects: +- kind: ServiceAccount + name: remote-access + namespace: educates-config diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml new file mode 100644 index 00000000..192739a7 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml @@ -0,0 +1,52 @@ +--- +#! Cluster role for the lookup service application. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: educates-lookup-service +rules: + #! We need ability to watch for changes to CRDs so kopf can tell if its own + #! custom resources have changed. + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + #! We need the ability to watch for namespace changes. + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +--- +#! Cluster role for the remote access clients. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: educates-remote-access +rules: +- apiGroups: + - training.educates.dev + resources: + - trainingportals + - workshopenvironments + - workshopsessions + - workshopallocations + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clientconfig.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clientconfig.yaml new file mode 100644 index 00000000..b0e6cfb9 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clientconfig.yaml @@ -0,0 +1,49 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clientconfigs.lookup.educates.dev +spec: + scope: Namespaced + group: lookup.educates.dev + names: + plural: clientconfigs + singular: clientconfig + kind: ClientConfig + categories: + - educates-lookup + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - client + - tenants + - roles + properties: + client: + type: object + required: + - password + properties: + password: + type: string + minLength: 8 + roles: + type: array + items: + type: string + minLength: 1 + tenants: + type: array + items: + type: string + minLength: 1 + status: + type: object + x-kubernetes-preserve-unknown-fields: true diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clusterconfig.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clusterconfig.yaml new file mode 100644 index 00000000..8c0ad313 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clusterconfig.yaml @@ -0,0 +1,64 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterconfigs.lookup.educates.dev +spec: + scope: Namespaced + group: lookup.educates.dev + names: + plural: clusterconfigs + singular: clusterconfig + kind: ClusterConfig + categories: + - educates-lookup + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + description: Specification of the cluster configuration. + properties: + labels: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + value: + type: string + credentials: + type: object + description: Credentials for the cluster. + required: + - kubeconfig + properties: + kubeconfig: + type: object + properties: + secretRef: + type: object + description: Reference to the secret containing the kubeconfig for the cluster. + required: + - name + properties: + name: + type: string + description: Name of the secret containing the kubeconfig for the cluster. + key: + type: string + description: Key in the secret containing the kubeconfig for the cluster. + default: config + context: + type: string + description: Context in the kubeconfig for the cluster. + status: + type: object + x-kubernetes-preserve-unknown-fields: true diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-tenantconfig.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-tenantconfig.yaml new file mode 100644 index 00000000..008073bd --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-tenantconfig.yaml @@ -0,0 +1,109 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tenantconfigs.lookup.educates.dev +spec: + scope: Namespaced + group: lookup.educates.dev + names: + plural: tenantconfigs + singular: tenantconfig + kind: TenantConfig + categories: + - educates-lookup + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + clusters: + type: object + properties: + nameSelector: + type: object + required: + - matchNames + properties: + matchNames: + type: array + items: + type: string + labelSelector: + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + enum: + - In + - NotIn + - Exists + - DoesNotExist + values: + type: array + items: + type: string + portals: + type: object + properties: + nameSelector: + type: object + required: + - matchNames + properties: + matchNames: + type: array + items: + type: string + labelSelector: + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + enum: + - In + - NotIn + - Exists + - DoesNotExist + values: + type: array + items: + type: string + status: + type: object + x-kubernetes-preserve-unknown-fields: true diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/deployments.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/deployments.yaml new file mode 100644 index 00000000..16a59ef5 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/deployments.yaml @@ -0,0 +1,34 @@ +#@ load("@ytt:data", "data") +#@ load("/00-package.star", "image_reference", "image_pull_policy") + +#! Deployment for the lookup service. It will be listening on port 8080. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: lookup-service + namespace: educates +spec: + replicas: 1 + selector: + matchLabels: + app: lookup-service + template: + metadata: + labels: + app: lookup-service + spec: + serviceAccountName: lookup-service + containers: + - name: lookup-service + #@ image = image_reference("lookup-service") + image: #@ image + imagePullPolicy: #@ image_pull_policy(image) + ports: + - containerPort: 8080 + volumeMounts: + - name: cluster-access-token + mountPath: /opt/cluster-access-token + volumes: + - name: cluster-access-token + secret: + secretName: remote-access-token diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/ingresses.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/ingresses.yaml new file mode 100644 index 00000000..4fbaeeca --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/ingresses.yaml @@ -0,0 +1,20 @@ +#@ load("@ytt:data", "data") + +#! Ingress for the lookup service mapping to the lookup service Service. +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: lookup-service + namespace: educates +spec: + rules: + - host: #@ "lookup." + data.values.clusterIngress.domain + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: lookup-service + port: + number: 8080 diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/rolebindings.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/rolebindings.yaml new file mode 100644 index 00000000..96ea7756 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/rolebindings.yaml @@ -0,0 +1,14 @@ +#! Role bindings for the lookup service. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: lookup-service + namespace: educates +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: lookup-service +subjects: +- kind: ServiceAccount + name: lookup-service + namespace: educates diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/roles.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/roles.yaml new file mode 100644 index 00000000..b443685b --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/roles.yaml @@ -0,0 +1,53 @@ +#! Role for the lookup service application. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: lookup-service + namespace: educates +rules: + #! We need read/write access to the ClusterConfig, ManagedCluster, + #! ClientConfig and TenantConfig custom resources from the + #! lookup.educates.dev API group. + - apiGroups: + - lookup.educates.dev + resources: + - clusterconfigs + - managedclusters + - clientconfigs + - tenantconfigs + verbs: + - get + - list + - watch + - patch + - update + #! We need update access to the finalizers of the ClusterConfig, + #! ManagedCluster, ClientConfig and TenantConfig custom resources from the + #! lookup.educates.dev API group so kopf can track deletion. + - apiGroups: + - lookup.educates.dev + resources: + - clusterconfigs/finalizers + - managedclusters/finalizers + - clientconfigs/finalizers + - tenantconfigs/finalizers + verbs: + - update + #! We need read access to the secrets in the application namespace, so we can + #! read the kubeconfig for the managed cluster. + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + #! We need the ability to create events in the application namespace so kopf + #! can log events. + - apiGroups: + - "" + resources: + - events + verbs: + - create diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/secrets.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/secrets.yaml new file mode 100644 index 00000000..7ed512e0 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/secrets.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: remote-access-token + namespace: educates + annotations: + kubernetes.io/service-account.name: remote-access + kapp.k14s.io/change-rule: "upsert after upserting educates/sa-with-separate-token-secret" +type: kubernetes.io/service-account-token diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml new file mode 100644 index 00000000..13226d24 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml @@ -0,0 +1,16 @@ +--- +#! ServiceAccount to run the lookup service application. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: lookup-service + namespace: educates +--- +#! ServiceAccount for remote access clients. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: remote-access + namespace: educates + annotations: + kapp.k14s.io/change-group: "educates/sa-with-separate-token-secret" diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/services.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/services.yaml new file mode 100644 index 00000000..c3349b23 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/services.yaml @@ -0,0 +1,13 @@ +#! Service for the lookup service. +apiVersion: v1 +kind: Service +metadata: + name: lookup-service + namespace: educates +spec: + type: ClusterIP + ports: + - port: 8080 + targetPort: 8080 + selector: + app: lookup-service diff --git a/carvel-packages/installer/bundle/config/ytt/values-schema.yaml b/carvel-packages/installer/bundle/config/ytt/values-schema.yaml index 223d9007..f5087e58 100644 --- a/carvel-packages/installer/bundle/config/ytt/values-schema.yaml +++ b/carvel-packages/installer/bundle/config/ytt/values-schema.yaml @@ -316,3 +316,6 @@ imagePuller: prePullImages: #@schema/validation min_len=1 - "" +#@schema/nullable +lookup: + enabled: true \ No newline at end of file diff --git a/carvel-packages/installer/config/images.yaml b/carvel-packages/installer/config/images.yaml index ae086b8b..936c9171 100644 --- a/carvel-packages/installer/config/images.yaml +++ b/carvel-packages/installer/config/images.yaml @@ -41,6 +41,8 @@ imageVersions: image: #@ image_reference("image-cache") - name: assets-server image: #@ image_reference("assets-server") + - name: lookup-service + image: #@ image_reference("lookup-service") - name: debian-base-image image: "debian:sid-20230502-slim" - name: docker-in-docker diff --git a/client-programs/pkg/config/installationconfig.go b/client-programs/pkg/config/installationconfig.go index 7801ed6c..8110c0af 100644 --- a/client-programs/pkg/config/installationconfig.go +++ b/client-programs/pkg/config/installationconfig.go @@ -251,6 +251,10 @@ type ImagePullerConfig struct { PrePullImages []string `yaml:"prePullImages,omitempty"` } +type LookupConfig struct { + Enabled *bool `yaml:"enabled"` +} + type ClusterEssentialsConfig struct { ClusterInfrastructure ClusterInfrastructureConfig `yaml:"clusterInfrastructure,omitempty"` ClusterPackages ClusterPackagesConfig `yaml:"clusterPackages,omitempty"` @@ -274,6 +278,7 @@ type TrainingPlatformConfig struct { WorkshopAnalytics WorkshopAnalyticsConfig `yaml:"workshopAnalytics,omitempty"` WebsiteStyling WebsiteStylingConfig `yaml:"websiteStyling,omitempty"` ImagePuller ImagePullerConfig `yaml:"imagePuller,omitempty"` + Lookup LookupConfig `yaml:"lookup,omitempty"` } type InstallationConfig struct { @@ -298,6 +303,7 @@ type InstallationConfig struct { WorkshopAnalytics WorkshopAnalyticsConfig `yaml:"workshopAnalytics,omitempty"` WebsiteStyling WebsiteStylingConfig `yaml:"websiteStyling,omitempty"` ImagePuller ImagePullerConfig `yaml:"imagePuller,omitempty"` + Lookup LookupConfig `yaml:"lookup,omitempty"` } type EducatesDomainStruct struct { diff --git a/vendir.lock.yml b/vendir.lock.yml index 4831066a..d30c54a4 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -60,4 +60,10 @@ directories: url: https://api.github.com/repos/carvel-dev/kapp-controller/releases/155438864 path: . path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kapp-controller/upstream +# - contents: +# - git: +# commitTitle: Changes related to new lookup service. +# sha: bd0b8588767f8664eccb22f7e2502f8f529990d5 +# path: . +# path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream kind: LockConfig diff --git a/vendir.yml b/vendir.yml index 08976d1f..8cdf4f58 100644 --- a/vendir.yml +++ b/vendir.yml @@ -114,3 +114,12 @@ directories: disableAutoChecksumValidation: true includePaths: - release.yml + # - path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream + # contents: + # - path: "." + # git: + # url: https://github.com/GrahamDumpleton/lab-platform-operator + # ref: origin/main + # includePaths: + # - exercises/resources-v2/*.yaml + # newRootPath: exercises/resources-v2 \ No newline at end of file From 963a421edfe9b4a4ff5134daf6ca6ae037a716e6 Mon Sep 17 00:00:00 2001 From: Jorge Morales Pou Date: Tue, 6 Aug 2024 23:04:44 +0200 Subject: [PATCH 02/11] Still not configurable --- .../overlays.yaml/overlay-image.yaml | 15 +++++++++++++ .../overlays.yaml/overlay-ingress.yaml | 21 +++++++++++++++++++ .../lookup-service/upstream/deployments.yaml | 8 ++----- .../lookup-service/upstream/ingresses.yaml | 4 +--- .../lookup-service/values-schema.yaml.NO | 10 +++++++++ 5 files changed, 49 insertions(+), 9 deletions(-) create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-image.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/values-schema.yaml.NO diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-image.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-image.yaml new file mode 100644 index 00000000..bbfbdfc2 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-image.yaml @@ -0,0 +1,15 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") +#@ load("/00-package.star", "image_reference", "image_pull_policy") + +#@overlay/match by=overlay.subset({"kind":"Deployment"}) +--- +spec: + template: + spec: + containers: + #@overlay/match by="name" + - name: lookup-service + #@ image = image_reference("lookup-service") + image: #@ image + imagePullPolicy: #@ image_pull_policy(image) \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml new file mode 100644 index 00000000..fb94461a --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml @@ -0,0 +1,21 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#@overlay/match by=overlay.subset({"kind":"Ingress"}) +--- +#@ if/end hasattr(data.values.clusterIngress, "clusterIssuer") and data.values.clusterIngress.clusterIssuer != None: +metadata: + #@overlay/match missing_ok=True + annotations: + #@overlay/match missing_ok=True + cert-manager.io/cluster-issuer: #@ data.values.clusterIngress.clusterIssuer +spec: + rules: + #@overlay/match by=overlay.index(0) + - host: #@ "lookup.{}".format(data.values.clusterIngress.domain) + #@overlay/match missing_ok=True + #@ if/end hasattr(data.values.clusterIngress, "clusterIssuer") and data.values.clusterIngress.clusterIssuer != None: + tls: + - hosts: + - #@ "lookup.{}".format(data.values.clusterIngress.domain) + secretName: wildcard \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/deployments.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/deployments.yaml index 16a59ef5..0bfb2422 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/deployments.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/deployments.yaml @@ -1,6 +1,3 @@ -#@ load("@ytt:data", "data") -#@ load("/00-package.star", "image_reference", "image_pull_policy") - #! Deployment for the lookup service. It will be listening on port 8080. apiVersion: apps/v1 kind: Deployment @@ -20,9 +17,8 @@ spec: serviceAccountName: lookup-service containers: - name: lookup-service - #@ image = image_reference("lookup-service") - image: #@ image - imagePullPolicy: #@ image_pull_policy(image) + image: NAME + imagePullPolicy: Always ports: - containerPort: 8080 volumeMounts: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/ingresses.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/ingresses.yaml index 4fbaeeca..fe30cca6 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/ingresses.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/ingresses.yaml @@ -1,5 +1,3 @@ -#@ load("@ytt:data", "data") - #! Ingress for the lookup service mapping to the lookup service Service. apiVersion: networking.k8s.io/v1 kind: Ingress @@ -8,7 +6,7 @@ metadata: namespace: educates spec: rules: - - host: #@ "lookup." + data.values.clusterIngress.domain + - host: HOST http: paths: - path: / diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/values-schema.yaml.NO b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/values-schema.yaml.NO new file mode 100644 index 00000000..8a85e62b --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/values-schema.yaml.NO @@ -0,0 +1,10 @@ +#@data/values-schema +--- +clusterIngress: + domain: "educates-local-dev.test" + #@schema/nullable + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + #@schema/nullable + clusterIssuer: "letsencrypt-prod" \ No newline at end of file From cb633578eac7acc533f93ddfe59110dfbc8cae3a Mon Sep 17 00:00:00 2001 From: Jorge Morales Pou Date: Tue, 6 Aug 2024 23:22:37 +0200 Subject: [PATCH 03/11] TLS kinda working --- .../_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml index fb94461a..89b57d60 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml @@ -14,7 +14,7 @@ spec: #@overlay/match by=overlay.index(0) - host: #@ "lookup.{}".format(data.values.clusterIngress.domain) #@overlay/match missing_ok=True - #@ if/end hasattr(data.values.clusterIngress, "clusterIssuer") and data.values.clusterIngress.clusterIssuer != None: + #@ if/end (hasattr(data.values.clusterIngress, "clusterIssuer") and data.values.clusterIngress.clusterIssuer != None) or (data.values.clusterIngress.tlsCertificateRef.name != None): tls: - hosts: - #@ "lookup.{}".format(data.values.clusterIngress.domain) From 175fa1402e252c9d48223142a7865f2f75d02c69 Mon Sep 17 00:00:00 2001 From: Jorge Morales Pou Date: Wed, 7 Aug 2024 13:42:28 +0200 Subject: [PATCH 04/11] Adding ingressPrefix --- .../custom/00-remove-toplevel-values.yaml | 2 +- .../infrastructure/custom/educates.lib.yaml | 8 +- .../eks/00-remove-toplevel-values.yaml | 2 +- .../infrastructure/eks/educates.lib.yaml | 8 +- .../generic/00-remove-toplevel-values.yaml | 2 +- .../infrastructure/generic/educates.lib.yaml | 8 +- .../gke/00-remove-toplevel-values.yaml | 2 +- .../infrastructure/gke/educates.lib.yaml | 8 +- .../kind/00-remove-toplevel-values.yaml | 2 +- .../infrastructure/kind/educates.lib.yaml | 8 +- .../vcluster/00-remove-toplevel-values.yaml | 2 +- .../infrastructure/vcluster/educates.lib.yaml | 8 +- .../_ytt_lib/packages/educates/00-schema.yaml | 5 +- .../_ytt_lib/packages/educates/08-lookup.yaml | 2 +- .../overlays.yaml/overlay-ingress.yaml | 4 +- .../upstream/clusterrolebindings.yaml | 2 +- .../lookup-service/values-schema.yaml.NO | 10 - .../_ytt_lib/packages/upstream/install.yaml | 45930 ---------------- .../bundle/config/ytt/values-schema.yaml | 6 +- .../pkg/config/installationconfig.go | 9 +- 20 files changed, 58 insertions(+), 45970 deletions(-) delete mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/values-schema.yaml.NO delete mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/upstream/install.yaml diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml index 9e9dca9a..8833f111 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml @@ -45,4 +45,4 @@ websiteStyling: #@overlay/remove imagePuller: #@overlay/remove -lookup: \ No newline at end of file +lookupService: \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml index c50b3d31..96bf208f 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml @@ -160,6 +160,10 @@ websiteStyling: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: imagePuller: #@ data.values.imagePuller -#@ if/end hasattr(data.values, "lookup") and data.values.lookup != None: -lookup: #@ data.values.lookup +#@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: +lookupService: + #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: + enabled: #@ data.values.lookupService.enabled + #@ if/end hasattr(data.values.lookupService, "ingressPrefix") and data.values.lookupService.ingressPrefix != None: + ingressPrefix: #@ data.values.lookupService.ingressPrefix #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml index 9e9dca9a..8833f111 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml @@ -45,4 +45,4 @@ websiteStyling: #@overlay/remove imagePuller: #@overlay/remove -lookup: \ No newline at end of file +lookupService: \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml index c50b3d31..96bf208f 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml @@ -160,6 +160,10 @@ websiteStyling: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: imagePuller: #@ data.values.imagePuller -#@ if/end hasattr(data.values, "lookup") and data.values.lookup != None: -lookup: #@ data.values.lookup +#@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: +lookupService: + #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: + enabled: #@ data.values.lookupService.enabled + #@ if/end hasattr(data.values.lookupService, "ingressPrefix") and data.values.lookupService.ingressPrefix != None: + ingressPrefix: #@ data.values.lookupService.ingressPrefix #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml index 9e9dca9a..8833f111 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml @@ -45,4 +45,4 @@ websiteStyling: #@overlay/remove imagePuller: #@overlay/remove -lookup: \ No newline at end of file +lookupService: \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml index c50b3d31..96bf208f 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml @@ -160,6 +160,10 @@ websiteStyling: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: imagePuller: #@ data.values.imagePuller -#@ if/end hasattr(data.values, "lookup") and data.values.lookup != None: -lookup: #@ data.values.lookup +#@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: +lookupService: + #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: + enabled: #@ data.values.lookupService.enabled + #@ if/end hasattr(data.values.lookupService, "ingressPrefix") and data.values.lookupService.ingressPrefix != None: + ingressPrefix: #@ data.values.lookupService.ingressPrefix #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml index 9e9dca9a..8833f111 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml @@ -45,4 +45,4 @@ websiteStyling: #@overlay/remove imagePuller: #@overlay/remove -lookup: \ No newline at end of file +lookupService: \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml index c50b3d31..96bf208f 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml @@ -160,6 +160,10 @@ websiteStyling: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: imagePuller: #@ data.values.imagePuller -#@ if/end hasattr(data.values, "lookup") and data.values.lookup != None: -lookup: #@ data.values.lookup +#@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: +lookupService: + #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: + enabled: #@ data.values.lookupService.enabled + #@ if/end hasattr(data.values.lookupService, "ingressPrefix") and data.values.lookupService.ingressPrefix != None: + ingressPrefix: #@ data.values.lookupService.ingressPrefix #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml index 9e9dca9a..8833f111 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml @@ -45,4 +45,4 @@ websiteStyling: #@overlay/remove imagePuller: #@overlay/remove -lookup: \ No newline at end of file +lookupService: \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml index c50b3d31..96bf208f 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml @@ -160,6 +160,10 @@ websiteStyling: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: imagePuller: #@ data.values.imagePuller -#@ if/end hasattr(data.values, "lookup") and data.values.lookup != None: -lookup: #@ data.values.lookup +#@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: +lookupService: + #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: + enabled: #@ data.values.lookupService.enabled + #@ if/end hasattr(data.values.lookupService, "ingressPrefix") and data.values.lookupService.ingressPrefix != None: + ingressPrefix: #@ data.values.lookupService.ingressPrefix #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml index 9e9dca9a..8833f111 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml @@ -45,4 +45,4 @@ websiteStyling: #@overlay/remove imagePuller: #@overlay/remove -lookup: \ No newline at end of file +lookupService: \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml index c50b3d31..96bf208f 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml @@ -160,6 +160,10 @@ websiteStyling: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: imagePuller: #@ data.values.imagePuller -#@ if/end hasattr(data.values, "lookup") and data.values.lookup != None: -lookup: #@ data.values.lookup +#@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: +lookupService: + #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: + enabled: #@ data.values.lookupService.enabled + #@ if/end hasattr(data.values.lookupService, "ingressPrefix") and data.values.lookupService.ingressPrefix != None: + ingressPrefix: #@ data.values.lookupService.ingressPrefix #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-schema.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-schema.yaml index 539a07ad..8c4cc4c8 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-schema.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-schema.yaml @@ -264,5 +264,6 @@ imagePuller: prePullImages: - "" -lookup: - enabled: true \ No newline at end of file +lookupService: + enabled: false + ingressPrefix: "educates-api" \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml index 295d96c2..fe5f0908 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml @@ -2,6 +2,6 @@ #@ load("@ytt:library", "library") #@ load("@ytt:template", "template") -#@ if data.values.lookup.enabled: +#@ if data.values.lookupService.enabled: --- #@ template.replace(library.get("lookup-service").with_data_values(data.values, plain=True).eval()) #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml index 89b57d60..a92855e5 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml @@ -12,10 +12,10 @@ metadata: spec: rules: #@overlay/match by=overlay.index(0) - - host: #@ "lookup.{}".format(data.values.clusterIngress.domain) + - host: #@ "{}.{}".format(data.values.lookupService.ingressPrefix, data.values.clusterIngress.domain) #@overlay/match missing_ok=True #@ if/end (hasattr(data.values.clusterIngress, "clusterIssuer") and data.values.clusterIngress.clusterIssuer != None) or (data.values.clusterIngress.tlsCertificateRef.name != None): tls: - hosts: - - #@ "lookup.{}".format(data.values.clusterIngress.domain) + - #@ "{}.{}".format(data.values.lookupService.ingressPrefix, data.values.clusterIngress.domain) secretName: wildcard \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml index c6bc6777..6b2a97f8 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml @@ -11,7 +11,7 @@ roleRef: subjects: - kind: ServiceAccount name: lookup-service - namespace: educates-config + namespace: educates --- #! Cluster role bindings for the remote access. apiVersion: rbac.authorization.k8s.io/v1 diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/values-schema.yaml.NO b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/values-schema.yaml.NO deleted file mode 100644 index 8a85e62b..00000000 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/values-schema.yaml.NO +++ /dev/null @@ -1,10 +0,0 @@ -#@data/values-schema ---- -clusterIngress: - domain: "educates-local-dev.test" - #@schema/nullable - tlsCertificateRef: - namespace: projectcontour - name: educateswildcard - #@schema/nullable - clusterIssuer: "letsencrypt-prod" \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/upstream/install.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/upstream/install.yaml deleted file mode 100644 index 62f384b6..00000000 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/upstream/install.yaml +++ /dev/null @@ -1,45930 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: kyverno - labels: - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kyverno-admission-controller - namespace: kyverno - labels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kyverno-background-controller - namespace: kyverno - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kyverno-cleanup-controller - namespace: kyverno - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kyverno-cleanup-jobs - namespace: kyverno - labels: - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kyverno-reports-controller - namespace: kyverno - labels: - app.kubernetes.io/component: reports-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: kyverno - namespace: kyverno - labels: - app.kubernetes.io/component: config - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -data: - enableDefaultRegistryMutation: "true" - defaultRegistry: "docker.io" - generateSuccessEvents: "false" - excludeGroups: "system:nodes" - resourceFilters: >- - [*/*,kyverno,*] - [Event,*,*] - [*/*,kube-system,*] - [*/*,kube-public,*] - [*/*,kube-node-lease,*] - [Node,*,*] - [Node/*,*,*] - [APIService,*,*] - [APIService/*,*,*] - [TokenReview,*,*] - [SubjectAccessReview,*,*] - [SelfSubjectAccessReview,*,*] - [Binding,*,*] - [Pod/binding,*,*] - [ReplicaSet,*,*] - [ReplicaSet/*,*,*] - [AdmissionReport,*,*] - [AdmissionReport/*,*,*] - [ClusterAdmissionReport,*,*] - [ClusterAdmissionReport/*,*,*] - [BackgroundScanReport,*,*] - [BackgroundScanReport/*,*,*] - [ClusterBackgroundScanReport,*,*] - [ClusterBackgroundScanReport/*,*,*] - [ClusterRole,*,kyverno:admission-controller] - [ClusterRole,*,kyverno:admission-controller:core] - [ClusterRole,*,kyverno:admission-controller:additional] - [ClusterRole,*,kyverno:background-controller] - [ClusterRole,*,kyverno:background-controller:core] - [ClusterRole,*,kyverno:background-controller:additional] - [ClusterRole,*,kyverno:cleanup-controller] - [ClusterRole,*,kyverno:cleanup-controller:core] - [ClusterRole,*,kyverno:cleanup-controller:additional] - [ClusterRole,*,kyverno:reports-controller] - [ClusterRole,*,kyverno:reports-controller:core] - [ClusterRole,*,kyverno:reports-controller:additional] - [ClusterRoleBinding,*,kyverno:admission-controller] - [ClusterRoleBinding,*,kyverno:background-controller] - [ClusterRoleBinding,*,kyverno:cleanup-controller] - [ClusterRoleBinding,*,kyverno:reports-controller] - [ServiceAccount,kyverno,kyverno-admission-controller] - [ServiceAccount/*,kyverno,kyverno-admission-controller] - [ServiceAccount,kyverno,kyverno-background-controller] - [ServiceAccount/*,kyverno,kyverno-background-controller] - [ServiceAccount,kyverno,kyverno-cleanup-controller] - [ServiceAccount/*,kyverno,kyverno-cleanup-controller] - [ServiceAccount,kyverno,kyverno-reports-controller] - [ServiceAccount/*,kyverno,kyverno-reports-controller] - [Role,kyverno,kyverno:admission-controller] - [Role,kyverno,kyverno:background-controller] - [Role,kyverno,kyverno:cleanup-controller] - [Role,kyverno,kyverno:reports-controller] - [RoleBinding,kyverno,kyverno:admission-controller] - [RoleBinding,kyverno,kyverno:background-controller] - [RoleBinding,kyverno,kyverno:cleanup-controller] - [RoleBinding,kyverno,kyverno:reports-controller] - [ConfigMap,kyverno,kyverno] - [ConfigMap,kyverno,kyverno-metrics] - [Deployment,kyverno,kyverno-admission-controller] - [Deployment/*,kyverno,kyverno-admission-controller] - [Deployment,kyverno,kyverno-background-controller] - [Deployment/*,kyverno,kyverno-background-controller] - [Deployment,kyverno,kyverno-cleanup-controller] - [Deployment/*,kyverno,kyverno-cleanup-controller] - [Deployment,kyverno,kyverno-reports-controller] - [Deployment/*,kyverno,kyverno-reports-controller] - [Pod,kyverno,kyverno-admission-controller-*] - [Pod/*,kyverno,kyverno-admission-controller-*] - [Pod,kyverno,kyverno-background-controller-*] - [Pod/*,kyverno,kyverno-background-controller-*] - [Pod,kyverno,kyverno-cleanup-controller-*] - [Pod/*,kyverno,kyverno-cleanup-controller-*] - [Pod,kyverno,kyverno-reports-controller-*] - [Pod/*,kyverno,kyverno-reports-controller-*] - [Job,kyverno,kyverno-hook-pre-delete] - [Job/*,kyverno,kyverno-hook-pre-delete] - [NetworkPolicy,kyverno,kyverno-admission-controller] - [NetworkPolicy/*,kyverno,kyverno-admission-controller] - [NetworkPolicy,kyverno,kyverno-background-controller] - [NetworkPolicy/*,kyverno,kyverno-background-controller] - [NetworkPolicy,kyverno,kyverno-cleanup-controller] - [NetworkPolicy/*,kyverno,kyverno-cleanup-controller] - [NetworkPolicy,kyverno,kyverno-reports-controller] - [NetworkPolicy/*,kyverno,kyverno-reports-controller] - [PodDisruptionBudget,kyverno,kyverno-admission-controller] - [PodDisruptionBudget/*,kyverno,kyverno-admission-controller] - [PodDisruptionBudget,kyverno,kyverno-background-controller] - [PodDisruptionBudget/*,kyverno,kyverno-background-controller] - [PodDisruptionBudget,kyverno,kyverno-cleanup-controller] - [PodDisruptionBudget/*,kyverno,kyverno-cleanup-controller] - [PodDisruptionBudget,kyverno,kyverno-reports-controller] - [PodDisruptionBudget/*,kyverno,kyverno-reports-controller] - [Service,kyverno,kyverno-svc] - [Service/*,kyverno,kyverno-svc] - [Service,kyverno,kyverno-svc-metrics] - [Service/*,kyverno,kyverno-svc-metrics] - [Service,kyverno,kyverno-background-controller-metrics] - [Service/*,kyverno,kyverno-background-controller-metrics] - [Service,kyverno,kyverno-cleanup-controller] - [Service/*,kyverno,kyverno-cleanup-controller] - [Service,kyverno,kyverno-cleanup-controller-metrics] - [Service/*,kyverno,kyverno-cleanup-controller-metrics] - [Service,kyverno,kyverno-reports-controller-metrics] - [Service/*,kyverno,kyverno-reports-controller-metrics] - [ServiceMonitor,kyverno,kyverno-admission-controller] - [ServiceMonitor,kyverno,kyverno-background-controller] - [ServiceMonitor,kyverno,kyverno-cleanup-controller] - [ServiceMonitor,kyverno,kyverno-reports-controller] - [Secret,kyverno,kyverno-svc.kyverno.svc.*] - [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*] - webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]' ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: kyverno-metrics - namespace: kyverno - labels: - app.kubernetes.io/component: config - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -data: - namespaces: "{\"exclude\":[],\"include\":[]}" - bucketBoundaries: "0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30" ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.1.4 - helm.sh/chart: crds-3.1.4 - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: admissionreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: AdmissionReport - listKind: AdmissionReportList - plural: admissionreports - shortNames: - - admr - singular: admissionreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.summary.pass - name: PASS - type: integer - - jsonPath: .spec.summary.fail - name: FAIL - type: integer - - jsonPath: .spec.summary.warn - name: WARN - type: integer - - jsonPath: .spec.summary.error - name: ERROR - type: integer - - jsonPath: .spec.summary.skip - name: SKIP - type: integer - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr'] - name: GVR - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name'] - name: REF - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] - name: AGGREGATE - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: AdmissionReport is the Schema for the AdmissionReports API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - owner: - description: Owner is a reference to the report owner (e.g. a Deployment, - Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - x-kubernetes-map-type: atomic - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - required: - - owner - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.1.4 - helm.sh/chart: crds-3.1.4 - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: backgroundscanreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: BackgroundScanReport - listKind: BackgroundScanReportList - plural: backgroundscanreports - shortNames: - - bgscanr - singular: backgroundscanreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: BackgroundScanReport is the Schema for the BackgroundScanReports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.1.4 - helm.sh/chart: crds-3.1.4 - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: cleanuppolicies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: CleanupPolicy - listKind: CleanupPolicyList - plural: cleanuppolicies - shortNames: - - cleanpol - singular: cleanuppolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - name: v2alpha1 - schema: - openAPIV3Schema: - description: CleanupPolicy defines a rule for resource cleanup. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. - properties: - data: - description: Data specifies the POST data sent to the server. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2beta1 - schema: - openAPIV3Schema: - description: CleanupPolicy defines a rule for resource cleanup. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. - properties: - data: - description: Data specifies the POST data sent to the server. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.1.4 - helm.sh/chart: crds-3.1.4 - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: clusteradmissionreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterAdmissionReport - listKind: ClusterAdmissionReportList - plural: clusteradmissionreports - shortNames: - - cadmr - singular: clusteradmissionreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.summary.pass - name: PASS - type: integer - - jsonPath: .spec.summary.fail - name: FAIL - type: integer - - jsonPath: .spec.summary.warn - name: WARN - type: integer - - jsonPath: .spec.summary.error - name: ERROR - type: integer - - jsonPath: .spec.summary.skip - name: SKIP - type: integer - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr'] - name: GVR - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name'] - name: REF - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] - name: AGGREGATE - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterAdmissionReport is the Schema for the ClusterAdmissionReports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - owner: - description: Owner is a reference to the report owner (e.g. a Deployment, - Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - x-kubernetes-map-type: atomic - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - required: - - owner - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.1.4 - helm.sh/chart: crds-3.1.4 - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: clusterbackgroundscanreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterBackgroundScanReport - listKind: ClusterBackgroundScanReportList - plural: clusterbackgroundscanreports - shortNames: - - cbgscanr - singular: clusterbackgroundscanreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.1.4 - helm.sh/chart: crds-3.1.4 - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: clustercleanuppolicies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterCleanupPolicy - listKind: ClusterCleanupPolicyList - plural: clustercleanuppolicies - shortNames: - - ccleanpol - singular: clustercleanuppolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - name: v2alpha1 - schema: - openAPIV3Schema: - description: ClusterCleanupPolicy defines rule for resource cleanup. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. - properties: - data: - description: Data specifies the POST data sent to the server. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2beta1 - schema: - openAPIV3Schema: - description: ClusterCleanupPolicy defines rule for resource cleanup. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. - properties: - data: - description: Data specifies the POST data sent to the server. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.1.4 - helm.sh/chart: crds-3.1.4 - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: clusterpolicies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterPolicy - listKind: ClusterPolicyList - plural: clusterpolicies - shortNames: - - cpol - singular: clusterpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.admission - name: ADMISSION - type: boolean - - jsonPath: .spec.background - name: BACKGROUND - type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.failurePolicy - name: FAILURE POLICY - priority: 1 - type: string - - jsonPath: .status.rulecount.validate - name: VALIDATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: MUTATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: GENERATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: VERIFY IMAGES - priority: 1 - type: integer - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: MESSAGE - type: string - name: v1 - schema: - openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - admission: - default: true - description: Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean - applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. - type: boolean - generateExistingOnPolicyUpdate: - description: Deprecated, use generateExisting instead - type: boolean - mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". - type: boolean - rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. - properties: - data: - description: Data specifies the POST data sent to - the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier for - the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web - service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' - type: string - key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachMutation applies mutation rules to - a list of sub-elements by creating a context for each - entry in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - description: TargetResourceSpec defines targets for mutating - existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the Common - Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for the - audit event of the API request. - items: - description: AuditAnnotation describes how to produce - an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." - type: string - valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' - - The namespace object that the incoming object - belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited - variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform authorization - checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are - escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match - a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting - elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." - type: string - message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind and - Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." - type: string - namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" - type: string - selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context for - each entry in the list and looping over it to apply - the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. - type: object - attestor: - description: Attestor is a nested set of - Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', to - be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. - type: object - attestor: - description: Attestor is a nested set of Attestor - used to specify a more complex set of match - authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one or more public - keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. - type: boolean - useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. - type: boolean - validationFailureAction: - default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array - webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime data. - properties: - autogen: - description: AutogenStatus contains autogen status information. - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule - items: - description: MatchCondition represents a condition which - must by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. - properties: - data: - description: Data specifies the POST data sent - to the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON - web service - properties: - caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' - type: string - key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. - type: object - match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachMutation applies mutation rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - description: TargetResourceSpec defines targets for - mutating existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the - Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for - the audit event of the API request. - items: - description: AuditAnnotation describes how to - produce an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." - type: string - valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object - that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform - authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property - named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property - named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on - arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." - type: string - message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind - and Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." - type: string - namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" - type: string - selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. - type: object - attestor: - description: Attestor is a nested - set of Attestor used to specify - a more complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an - optional PEM encoded set of - certificates used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one - or more public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha224, - sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. - items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', - to be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - type: object - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Deprecated in favor of Conditions - type: boolean - rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - validatingadmissionpolicy: - description: ValidatingAdmissionPolicy contains status information - properties: - generated: - description: Generated indicates whether a validating admission - policy is generated from the policy or not - type: boolean - message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. - type: string - required: - - generated - - message - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.admission - name: ADMISSION - type: boolean - - jsonPath: .spec.background - name: BACKGROUND - type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.failurePolicy - name: FAILURE POLICY - priority: 1 - type: string - - jsonPath: .status.rulecount.validate - name: VALIDATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: MUTATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: GENERATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: VERIFY IMAGES - priority: 1 - type: integer - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: MESSAGE - type: string - name: v2beta1 - schema: - openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - admission: - default: true - description: Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean - applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. - type: boolean - generateExistingOnPolicyUpdate: - description: Deprecated, use generateExisting instead - type: boolean - mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". - type: boolean - rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. - properties: - data: - description: Data specifies the POST data sent to - the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier for - the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web - service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' - type: string - key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachMutation applies mutation rules to - a list of sub-elements by creating a context for each - entry in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - description: TargetResourceSpec defines targets for mutating - existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the Common - Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for the - audit event of the API request. - items: - description: AuditAnnotation describes how to produce - an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." - type: string - valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' - - The namespace object that the incoming object - belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited - variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform authorization - checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are - escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match - a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting - elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." - type: string - message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind and - Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." - type: string - namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" - type: string - selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context for - each entry in the list and looping over it to apply - the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. - type: object - attestor: - description: Attestor is a nested set of - Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', to - be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. - type: object - attestor: - description: Attestor is a nested set of Attestor - used to specify a more complex set of match - authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one or more public - keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. - items: - type: string - type: array - type: object - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. - type: boolean - useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. - type: boolean - validationFailureAction: - default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array - webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime data. - properties: - autogen: - description: AutogenStatus contains autogen status information. - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule - items: - description: MatchCondition represents a condition which - must by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. - properties: - data: - description: Data specifies the POST data sent - to the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON - web service - properties: - caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' - type: string - key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. - type: object - match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachMutation applies mutation rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - description: TargetResourceSpec defines targets for - mutating existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the - Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for - the audit event of the API request. - items: - description: AuditAnnotation describes how to - produce an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." - type: string - valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object - that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform - authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property - named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property - named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on - arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." - type: string - message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind - and Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." - type: string - namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" - type: string - selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. - type: object - attestor: - description: Attestor is a nested - set of Attestor used to specify - a more complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an - optional PEM encoded set of - certificates used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one - or more public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha224, - sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. - items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', - to be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - type: object - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Deprecated in favor of Conditions - type: boolean - rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - validatingadmissionpolicy: - description: ValidatingAdmissionPolicy contains status information - properties: - generated: - description: Generated indicates whether a validating admission - policy is generated from the policy or not - type: boolean - message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. - type: string - required: - - generated - - message - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.1.4 - helm.sh/chart: crds-3.1.4 - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: policies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: Policy - listKind: PolicyList - plural: policies - shortNames: - - pol - singular: policy - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.admission - name: ADMISSION - type: boolean - - jsonPath: .spec.background - name: BACKGROUND - type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.failurePolicy - name: FAILURE POLICY - priority: 1 - type: string - - jsonPath: .status.rulecount.validate - name: VALIDATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: MUTATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: GENERATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: VERIFY IMAGES - priority: 1 - type: integer - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: MESSAGE - type: string - name: v1 - schema: - openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines policy behaviors and contains one or more rules. - properties: - admission: - default: true - description: Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean - applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. - type: boolean - generateExistingOnPolicyUpdate: - description: Deprecated, use generateExisting instead - type: boolean - mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". - type: boolean - rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. - properties: - data: - description: Data specifies the POST data sent to - the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier for - the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web - service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' - type: string - key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachMutation applies mutation rules to - a list of sub-elements by creating a context for each - entry in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - description: TargetResourceSpec defines targets for mutating - existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the Common - Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for the - audit event of the API request. - items: - description: AuditAnnotation describes how to produce - an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." - type: string - valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' - - The namespace object that the incoming object - belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited - variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform authorization - checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are - escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match - a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting - elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." - type: string - message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind and - Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." - type: string - namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" - type: string - selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context for - each entry in the list and looping over it to apply - the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. - type: object - attestor: - description: Attestor is a nested set of - Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', to - be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. - type: object - attestor: - description: Attestor is a nested set of Attestor - used to specify a more complex set of match - authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one or more public - keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. - type: boolean - useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. - type: boolean - validationFailureAction: - default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array - webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Deprecated. Policy metrics are available via the metrics - endpoint - properties: - autogen: - description: AutogenStatus contains autogen status information. - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule - items: - description: MatchCondition represents a condition which - must by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. - properties: - data: - description: Data specifies the POST data sent - to the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON - web service - properties: - caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' - type: string - key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. - type: object - match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachMutation applies mutation rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - description: TargetResourceSpec defines targets for - mutating existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the - Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for - the audit event of the API request. - items: - description: AuditAnnotation describes how to - produce an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." - type: string - valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object - that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform - authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property - named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property - named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on - arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." - type: string - message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind - and Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." - type: string - namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" - type: string - selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. - type: object - attestor: - description: Attestor is a nested - set of Attestor used to specify - a more complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an - optional PEM encoded set of - certificates used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one - or more public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha224, - sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. - items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', - to be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - type: object - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Deprecated in favor of Conditions - type: boolean - rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - validatingadmissionpolicy: - description: ValidatingAdmissionPolicy contains status information - properties: - generated: - description: Generated indicates whether a validating admission - policy is generated from the policy or not - type: boolean - message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. - type: string - required: - - generated - - message - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.admission - name: ADMISSION - type: boolean - - jsonPath: .spec.background - name: BACKGROUND - type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.failurePolicy - name: FAILURE POLICY - priority: 1 - type: string - - jsonPath: .status.rulecount.validate - name: VALIDATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: MUTATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: GENERATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: VERIFY IMAGES - priority: 1 - type: integer - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: MESSAGE - type: string - name: v2beta1 - schema: - openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines policy behaviors and contains one or more rules. - properties: - admission: - default: true - description: Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean - applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. - type: boolean - generateExistingOnPolicyUpdate: - description: Deprecated, use generateExisting instead - type: boolean - mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". - type: boolean - rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. - properties: - data: - description: Data specifies the POST data sent to - the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier for - the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web - service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' - type: string - key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachMutation applies mutation rules to - a list of sub-elements by creating a context for each - entry in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - description: TargetResourceSpec defines targets for mutating - existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the Common - Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for the - audit event of the API request. - items: - description: AuditAnnotation describes how to produce - an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." - type: string - valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' - - The namespace object that the incoming object - belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited - variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform authorization - checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are - escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match - a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting - elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." - type: string - message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind and - Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." - type: string - namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" - type: string - selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context for - each entry in the list and looping over it to apply - the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. - type: object - attestor: - description: Attestor is a nested set of - Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', to - be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. - type: object - attestor: - description: Attestor is a nested set of Attestor - used to specify a more complex set of match - authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one or more public - keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. - items: - type: string - type: array - type: object - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. - type: boolean - useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. - type: boolean - validationFailureAction: - default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array - webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime data. - properties: - autogen: - description: AutogenStatus contains autogen status information. - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule - items: - description: MatchCondition represents a condition which - must by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. - properties: - data: - description: Data specifies the POST data sent - to the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON - web service - properties: - caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' - type: string - key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. - type: object - match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachMutation applies mutation rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - description: TargetResourceSpec defines targets for - mutating existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the - Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for - the audit event of the API request. - items: - description: AuditAnnotation describes how to - produce an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." - type: string - valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object - that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform - authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property - named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property - named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on - arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." - type: string - message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind - and Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." - type: string - namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" - type: string - selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. - type: object - attestor: - description: Attestor is a nested - set of Attestor used to specify - a more complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an - optional PEM encoded set of - certificates used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one - or more public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha224, - sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. - items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', - to be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - type: object - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Deprecated in favor of Conditions - type: boolean - rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - validatingadmissionpolicy: - description: ValidatingAdmissionPolicy contains status information - properties: - generated: - description: Generated indicates whether a validating admission - policy is generated from the policy or not - type: boolean - message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. - type: string - required: - - generated - - message - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.1.4 - helm.sh/chart: crds-3.1.4 - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: policyexceptions.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: PolicyException - listKind: PolicyExceptionList - plural: policyexceptions - shortNames: - - polex - singular: policyexception - scope: Namespaced - versions: - - deprecated: true - name: v2alpha1 - schema: - openAPIV3Schema: - description: PolicyException declares resources to be excluded from specified - policies. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy exception behaviors. - properties: - background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - exceptions: - description: Exceptions is a list policy/rules to be excluded - items: - description: Exception stores infos about a policy and rules - properties: - policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. - type: string - ruleNames: - description: RuleNames identifies the rules to which the exception - is applied. - items: - type: string - type: array - required: - - policyName - - ruleNames - type: object - type: array - match: - description: Match defines match clause used to check if a resource - applies to the exception - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - required: - - exceptions - - match - type: object - required: - - spec - type: object - served: true - storage: false - - name: v2beta1 - schema: - openAPIV3Schema: - description: PolicyException declares resources to be excluded from specified - policies. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy exception behaviors. - properties: - background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - exceptions: - description: Exceptions is a list policy/rules to be excluded - items: - description: Exception stores infos about a policy and rules - properties: - policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. - type: string - ruleNames: - description: RuleNames identifies the rules to which the exception - is applied. - items: - type: string - type: array - required: - - policyName - - ruleNames - type: object - type: array - match: - description: Match defines match clause used to check if a resource - applies to the exception - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - required: - - exceptions - - match - type: object - required: - - spec - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.1.4 - helm.sh/chart: crds-3.1.4 - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: updaterequests.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: UpdateRequest - listKind: UpdateRequestList - plural: updaterequests - shortNames: - - ur - singular: updaterequest - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.policy - name: Policy - type: string - - jsonPath: .spec.requestType - name: RuleType - type: string - - jsonPath: .spec.resource.kind - name: ResourceKind - type: string - - jsonPath: .spec.resource.name - name: ResourceName - type: string - - jsonPath: .spec.resource.namespace - name: ResourceNamespace - type: string - - jsonPath: .status.state - name: status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: UpdateRequest is a request to process mutate and generate rules - in background. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ResourceSpec is the information to identify the trigger resource. - properties: - context: - description: Context ... - properties: - admissionRequestInfo: - description: AdmissionRequestInfoObject stores the admission request - and operation details - properties: - admissionRequest: - description: AdmissionRequest describes the admission.Attributes - for the admission request. - properties: - dryRun: - description: DryRun indicates that modifications will - definitely not be persisted for this request. Defaults - to false. - type: boolean - kind: - description: Kind is the fully-qualified type of object - being submitted (for example, v1.Pod or autoscaling.v1.Scale) - properties: - group: - type: string - kind: - type: string - version: - type: string - required: - - group - - kind - - version - type: object - name: - description: Name is the name of the object as presented - in the request. On a CREATE operation, the client may - omit name and rely on the server to generate the name. If - that is the case, this field will contain an empty string. - type: string - namespace: - description: Namespace is the namespace associated with - the request (if any). - type: string - object: - description: Object is the object from the incoming request. - type: object - x-kubernetes-preserve-unknown-fields: true - oldObject: - description: OldObject is the existing object. Only populated - for DELETE and UPDATE requests. - type: object - x-kubernetes-preserve-unknown-fields: true - operation: - description: Operation is the operation being performed. - This may be different than the operation requested. - e.g. a patch can result in either a CREATE or UPDATE - Operation. - type: string - options: - description: Options is the operation option structure - of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` - or `meta.k8s.io/v1.CreateOptions`. This may be different - than the options the caller provided. e.g. for a patch - request the performed Operation might be a CREATE, in - which case the Options will a `meta.k8s.io/v1.CreateOptions` - even though the caller provided `meta.k8s.io/v1.PatchOptions`. - type: object - x-kubernetes-preserve-unknown-fields: true - requestKind: - description: "RequestKind is the fully-qualified type - of the original API request (for example, v1.Pod or - autoscaling.v1.Scale). If this is specified and differs - from the value in \"kind\", an equivalent match and - conversion was performed. \n For example, if deployments - can be modified via apps/v1 and apps/v1beta1, and a - webhook registered a rule of `apiGroups:[\"apps\"], - apiVersions:[\"v1\"], resources: [\"deployments\"]` - and `matchPolicy: Equivalent`, an API request to apps/v1beta1 - deployments would be converted and sent to the webhook - with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` - (matching the rule the webhook registered for), and - `requestKind: {group:\"apps\", version:\"v1beta1\", - kind:\"Deployment\"}` (indicating the kind of the original - API request). \n See documentation for the \"matchPolicy\" - field in the webhook configuration type for more details." - properties: - group: - type: string - kind: - type: string - version: - type: string - required: - - group - - kind - - version - type: object - requestResource: - description: "RequestResource is the fully-qualified resource - of the original API request (for example, v1.pods). - If this is specified and differs from the value in \"resource\", - an equivalent match and conversion was performed. \n - For example, if deployments can be modified via apps/v1 - and apps/v1beta1, and a webhook registered a rule of - `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: - [\"deployments\"]` and `matchPolicy: Equivalent`, an - API request to apps/v1beta1 deployments would be converted - and sent to the webhook with `resource: {group:\"apps\", - version:\"v1\", resource:\"deployments\"}` (matching - the resource the webhook registered for), and `requestResource: - {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` - (indicating the resource of the original API request). - \n See documentation for the \"matchPolicy\" field in - the webhook configuration type." - properties: - group: - type: string - resource: - type: string - version: - type: string - required: - - group - - resource - - version - type: object - requestSubResource: - description: RequestSubResource is the name of the subresource - of the original API request, if any (for example, "status" - or "scale") If this is specified and differs from the - value in "subResource", an equivalent match and conversion - was performed. See documentation for the "matchPolicy" - field in the webhook configuration type. - type: string - resource: - description: Resource is the fully-qualified resource - being requested (for example, v1.pods) - properties: - group: - type: string - resource: - type: string - version: - type: string - required: - - group - - resource - - version - type: object - subResource: - description: SubResource is the subresource being requested, - if any (for example, "status" or "scale") - type: string - uid: - description: UID is an identifier for the individual request/response. - It allows us to distinguish instances of requests which - are otherwise identical (parallel requests, requests - when earlier requests did not modify etc) The UID is - meant to track the round trip (request/response) between - the KAS and the WebHook, not the user request. It is - suitable for correlating log entries between the webhook - and apiserver, for either auditing or debugging. - type: string - userInfo: - description: UserInfo is information about the requesting - user - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf - can generate - items: - type: string - type: array - description: Any additional information provided by - the authenticator. - type: object - groups: - description: The names of groups this user is a part - of. - items: - type: string - type: array - uid: - description: A unique value that identifies this user - across time. If this user is deleted and another - user by the same name is added, they will have different - UIDs. - type: string - username: - description: The name that uniquely identifies this - user among all active users. - type: string - type: object - required: - - kind - - operation - - resource - - uid - - userInfo - type: object - operation: - description: Operation is the type of resource operation being - checked for admission control - type: string - type: object - userInfo: - description: RequestInfo contains permission info carried in an - admission request. - properties: - clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. - items: - type: string - nullable: true - type: array - roles: - description: Roles is a list of possible role send the request. - items: - type: string - nullable: true - type: array - userInfo: - description: UserInfo is the userInfo carried in the admission - request. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf - can generate - items: - type: string - type: array - description: Any additional information provided by the - authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. - type: string - username: - description: The name that uniquely identifies this user - among all active users. - type: string - type: object - type: object - type: object - deleteDownstream: - description: DeleteDownstream represents whether the downstream needs - to be deleted. - type: boolean - policy: - description: Specifies the name of the policy. - type: string - requestType: - description: Type represents request type for background processing - enum: - - mutate - - generate - type: string - resource: - description: ResourceSpec is the information to identify the trigger - resource. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - uid: - description: UID specifies the resource uid. - type: string - type: object - rule: - description: Rule is the associate rule name of the current UR. - type: string - synchronize: - description: Synchronize represents the sync behavior of the corresponding - rule Optional. Defaults to "false" if not specified. - type: boolean - required: - - context - - deleteDownstream - - policy - - resource - - rule - type: object - status: - description: Status contains statistics related to update request. - properties: - generatedResources: - description: This will track the resources that are updated by the - generate Policy. Will be used during clean up resources. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - handler: - description: Deprecated - type: string - message: - description: Specifies request status message. - type: string - retryCount: - type: integer - state: - description: State represents state of the update request. - type: string - required: - - state - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.1.4 - helm.sh/chart: crds-3.1.4 - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: clusterpolicyreports.wgpolicyk8s.io -spec: - group: wgpolicyk8s.io - names: - kind: ClusterPolicyReport - listKind: ClusterPolicyReportList - plural: clusterpolicyreports - shortNames: - - cpolr - singular: clusterpolicyreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - type: string - - jsonPath: .scope.name - name: Name - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for the - policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the - policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked Kubernetes - resources - items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within the - policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.1.4 - helm.sh/chart: crds-3.1.4 - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: policyreports.wgpolicyk8s.io -spec: - group: wgpolicyk8s.io - names: - kind: PolicyReport - listKind: PolicyReportList - plural: policyreports - shortNames: - - polr - singular: policyreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - type: string - - jsonPath: .scope.name - name: Name - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: PolicyReport is the Schema for the policyreports API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for the - policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the - policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked Kubernetes - resources - items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within the - policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:admission-controller - labels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -aggregationRule: - clusterRoleSelectors: - - matchLabels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:admission-controller:core - labels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - clusterroles - - rolebindings - - clusterrolebindings - verbs: - - list - - watch - - apiGroups: - - kyverno.io - resources: - - policies - - policies/status - - clusterpolicies - - clusterpolicies/status - - updaterequests - - updaterequests/status - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - policyreports/status - - clusterpolicyreports - - clusterpolicyreports/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - '' - - events.k8s.io - resources: - - events - verbs: - - create - - update - - patch - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:background-controller - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -aggregationRule: - clusterRoleSelectors: - - matchLabels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:background-controller:core - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -rules: - - apiGroups: - - kyverno.io - resources: - - policies - - clusterpolicies - - policyexceptions - - updaterequests - - updaterequests/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - '' - resources: - - namespaces - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - '' - - events.k8s.io - resources: - - events - verbs: - - create - - get - - list - - patch - - update - - watch - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - - ingressclasses - - networkpolicies - verbs: - - create - - update - - patch - - delete - - apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - configmaps - - secrets - - resourcequotas - - limitranges - verbs: - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:cleanup-controller - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -aggregationRule: - clusterRoleSelectors: - - matchLabels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:cleanup-controller:core - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - update - - watch - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - kyverno.io - resources: - - clustercleanuppolicies - - cleanuppolicies - verbs: - - list - - watch - - apiGroups: - - kyverno.io - resources: - - clustercleanuppolicies/status - - cleanuppolicies/status - verbs: - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - '' - - events.k8s.io - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno-cleanup-jobs - labels: - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -rules: - - apiGroups: - - kyverno.io - resources: - - admissionreports - - clusteradmissionreports - verbs: - - list - - deletecollection - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:rbac:admin:policies - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - kyverno.io - resources: - - cleanuppolicies - - clustercleanuppolicies - - policies - - clusterpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:rbac:view:policies - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: - - apiGroups: - - kyverno.io - resources: - - cleanuppolicies - - clustercleanuppolicies - - policies - - clusterpolicies - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:rbac:admin:policyreports - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - clusterpolicyreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:rbac:view:policyreports - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: - - apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - clusterpolicyreports - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:rbac:admin:reports - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - kyverno.io - resources: - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:rbac:view:reports - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: - - apiGroups: - - kyverno.io - resources: - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:rbac:admin:updaterequests - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - kyverno.io - resources: - - updaterequests - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:rbac:view:updaterequests - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: - - apiGroups: - - kyverno.io - resources: - - updaterequests - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:reports-controller - labels: - app.kubernetes.io/component: reports-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -aggregationRule: - clusterRoleSelectors: - - matchLabels: - app.kubernetes.io/component: reports-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:reports-controller:core - labels: - app.kubernetes.io/component: reports-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - - apiGroups: - - kyverno.io - resources: - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - policyreports/status - - clusterpolicyreports - - clusterpolicyreports/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - '' - - events.k8s.io - resources: - - events - verbs: - - create - - patch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:admission-controller - labels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:admission-controller -subjects: - - kind: ServiceAccount - name: kyverno-admission-controller - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:background-controller - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:background-controller -subjects: -- kind: ServiceAccount - name: kyverno-background-controller - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:cleanup-controller - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:cleanup-controller -subjects: -- kind: ServiceAccount - name: kyverno-cleanup-controller - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno-cleanup-jobs - labels: - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno-cleanup-jobs -subjects: - - kind: ServiceAccount - name: kyverno-cleanup-jobs - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:reports-controller - labels: - app.kubernetes.io/component: reports-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:reports-controller -subjects: -- kind: ServiceAccount - name: kyverno-reports-controller - namespace: kyverno ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: kyverno:admission-controller - namespace: kyverno - labels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update - - delete - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch - resourceNames: - - kyverno - - kyverno-metrics - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - delete - - get - - patch - - update - # Allow update of Kyverno deployment annotations - - apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: kyverno:background-controller - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - namespace: kyverno -rules: - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch - resourceNames: - - kyverno - - kyverno-metrics - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - delete - - get - - patch - - update - resourceNames: - - kyverno-background-controller - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: kyverno:cleanup-controller - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - namespace: kyverno -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - create - - apiGroups: - - '' - resources: - - secrets - verbs: - - delete - - get - - list - - update - - watch - resourceNames: - - kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca - - kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch - resourceNames: - - kyverno - - kyverno-metrics - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - delete - - get - - patch - - update - resourceNames: - - kyverno-cleanup-controller ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: kyverno:reports-controller - labels: - app.kubernetes.io/component: reports-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - namespace: kyverno -rules: - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch - resourceNames: - - kyverno - - kyverno-metrics - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - delete - - get - - patch - - update - resourceNames: - - kyverno-reports-controller ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:admission-controller - namespace: kyverno - labels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kyverno:admission-controller -subjects: - - kind: ServiceAccount - name: kyverno-admission-controller - namespace: kyverno ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:background-controller - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - namespace: kyverno -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kyverno:background-controller -subjects: - - kind: ServiceAccount - name: kyverno-background-controller - namespace: kyverno ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:cleanup-controller - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - namespace: kyverno -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kyverno:cleanup-controller -subjects: - - kind: ServiceAccount - name: kyverno-cleanup-controller - namespace: kyverno ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:reports-controller - labels: - app.kubernetes.io/component: reports-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - namespace: kyverno -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kyverno:reports-controller -subjects: - - kind: ServiceAccount - name: kyverno-reports-controller - namespace: kyverno ---- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-svc - namespace: kyverno - labels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -spec: - ports: - - port: 443 - targetPort: https - protocol: TCP - name: https - selector: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-svc-metrics - namespace: kyverno - labels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: metrics-port - selector: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-background-controller-metrics - namespace: kyverno - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: metrics-port - selector: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-cleanup-controller - namespace: kyverno - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -spec: - ports: - - port: 443 - targetPort: https - protocol: TCP - name: https - selector: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-cleanup-controller-metrics - namespace: kyverno - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: metrics-port - selector: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-reports-controller-metrics - namespace: kyverno - labels: - app.kubernetes.io/component: reports-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: metrics-port - selector: - app.kubernetes.io/component: reports-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kyverno-admission-controller - namespace: kyverno - labels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -spec: - replicas: - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 40% - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - template: - metadata: - labels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - spec: - dnsPolicy: ClusterFirst - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - admission-controller - topologyKey: kubernetes.io/hostname - weight: 1 - serviceAccountName: kyverno-admission-controller - initContainers: - - name: kyverno-pre - image: "ghcr.io/kyverno/kyvernopre:v1.11.4" - imagePullPolicy: IfNotPresent - args: - - --loggingFormat=text - - --v=2 - resources: - limits: - cpu: 100m - memory: 256Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - env: - - name: KYVERNO_SERVICEACCOUNT_NAME - value: kyverno-admission-controller - - name: INIT_CONFIG - value: kyverno - - name: METRICS_CONFIG - value: kyverno-metrics - - name: KYVERNO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KYVERNO_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KYVERNO_DEPLOYMENT - value: kyverno-admission-controller - - name: KYVERNO_SVC - value: kyverno-svc - containers: - - name: kyverno - image: "ghcr.io/kyverno/kyverno:v1.11.4" - imagePullPolicy: IfNotPresent - args: - - --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca - - --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair - - --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller - - --servicePort=443 - - --disableMetrics=false - - --otelConfig=prometheus - - --metricsPort=8000 - - --admissionReports=true - - --autoUpdateWebhooks=true - - --enableConfigMapCaching=true - - --enableDeferredLoading=true - - --dumpPayload=false - - --forceFailurePolicyIgnore=false - - --generateValidatingAdmissionPolicy=false - - --loggingFormat=text - - --v=2 - - --enablePolicyException=true - - --protectManagedResources=false - - --allowInsecureRegistry=false - - --registryCredentialHelpers=default,google,amazon,azure,github - resources: - limits: - memory: 384Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - containerPort: 9443 - name: https - protocol: TCP - - containerPort: 8000 - name: metrics-port - protocol: TCP - env: - - name: INIT_CONFIG - value: kyverno - - name: METRICS_CONFIG - value: kyverno-metrics - - name: KYVERNO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KYVERNO_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KYVERNO_SERVICEACCOUNT_NAME - value: kyverno-admission-controller - - name: KYVERNO_SVC - value: kyverno-svc - - name: TUF_ROOT - value: /.sigstore - - name: KYVERNO_DEPLOYMENT - value: kyverno-admission-controller - startupProbe: - failureThreshold: 20 - httpGet: - path: /health/liveness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 2 - periodSeconds: 6 - livenessProbe: - failureThreshold: 2 - httpGet: - path: /health/liveness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - httpGet: - path: /health/readiness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - volumeMounts: - - mountPath: /.sigstore - name: sigstore - volumes: - - name: sigstore - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kyverno-background-controller - namespace: kyverno - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -spec: - replicas: - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 40% - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - template: - metadata: - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - spec: - dnsPolicy: ClusterFirst - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - background-controller - topologyKey: kubernetes.io/hostname - weight: 1 - serviceAccountName: kyverno-background-controller - containers: - - name: controller - image: "ghcr.io/kyverno/background-controller:v1.11.4" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9443 - name: https - protocol: TCP - - containerPort: 8000 - name: metrics - protocol: TCP - args: - - --disableMetrics=false - - --otelConfig=prometheus - - --metricsPort=8000 - - --enableConfigMapCaching=true - - --enableDeferredLoading=true - - --loggingFormat=text - - --v=2 - - --enablePolicyException=true - env: - - name: KYVERNO_SERVICEACCOUNT_NAME - value: kyverno-background-controller - - name: KYVERNO_DEPLOYMENT - value: kyverno-background-controller - - name: INIT_CONFIG - value: kyverno - - name: METRICS_CONFIG - value: kyverno-metrics - - name: KYVERNO_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KYVERNO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - limits: - memory: 128Mi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kyverno-cleanup-controller - namespace: kyverno - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -spec: - replicas: - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 40% - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - template: - metadata: - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - spec: - dnsPolicy: ClusterFirst - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - cleanup-controller - topologyKey: kubernetes.io/hostname - weight: 1 - serviceAccountName: kyverno-cleanup-controller - containers: - - name: controller - image: "ghcr.io/kyverno/cleanup-controller:v1.11.4" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9443 - name: https - protocol: TCP - - containerPort: 8000 - name: metrics - protocol: TCP - args: - - --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca - - --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair - - --servicePort=443 - - --disableMetrics=false - - --otelConfig=prometheus - - --metricsPort=8000 - - --enableDeferredLoading=true - - --dumpPayload=false - - --loggingFormat=text - - --v=2 - - --ttlReconciliationInterval=1m - env: - - name: KYVERNO_DEPLOYMENT - value: kyverno-cleanup-controller - - name: INIT_CONFIG - value: kyverno - - name: METRICS_CONFIG - value: kyverno-metrics - - name: KYVERNO_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KYVERNO_SERVICEACCOUNT_NAME - value: kyverno-cleanup-controller - - name: KYVERNO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KYVERNO_SVC - value: kyverno-cleanup-controller - resources: - limits: - memory: 128Mi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 20 - httpGet: - path: /health/liveness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 2 - periodSeconds: 6 - livenessProbe: - failureThreshold: 2 - httpGet: - path: /health/liveness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - httpGet: - path: /health/readiness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kyverno-reports-controller - namespace: kyverno - labels: - app.kubernetes.io/component: reports-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -spec: - replicas: - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 40% - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/component: reports-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - template: - metadata: - labels: - app.kubernetes.io/component: reports-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 - spec: - dnsPolicy: ClusterFirst - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - reports-controller - topologyKey: kubernetes.io/hostname - weight: 1 - serviceAccountName: kyverno-reports-controller - containers: - - name: controller - image: "ghcr.io/kyverno/reports-controller:v1.11.4" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9443 - name: https - protocol: TCP - - containerPort: 8000 - name: metrics - protocol: TCP - args: - - --disableMetrics=false - - --otelConfig=prometheus - - --metricsPort=8000 - - --admissionReports=true - - --aggregateReports=true - - --policyReports=true - - --validatingAdmissionPolicyReports=false - - --backgroundScan=true - - --backgroundScanWorkers=2 - - --backgroundScanInterval=1h - - --skipResourceFilters=true - - --enableConfigMapCaching=true - - --enableDeferredLoading=true - - --loggingFormat=text - - --v=2 - - --enablePolicyException=true - - --reportsChunkSize=1000 - - --allowInsecureRegistry=false - - --registryCredentialHelpers=default,google,amazon,azure,github - env: - - name: KYVERNO_SERVICEACCOUNT_NAME - value: kyverno-reports-controller - - name: KYVERNO_DEPLOYMENT - value: kyverno-reports-controller - - name: INIT_CONFIG - value: kyverno - - name: METRICS_CONFIG - value: kyverno-metrics - - name: KYVERNO_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KYVERNO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: TUF_ROOT - value: /.sigstore - resources: - limits: - memory: 128Mi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /.sigstore - name: sigstore - volumes: - - name: sigstore - emptyDir: {} ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: kyverno-cleanup-admission-reports - namespace: kyverno - labels: - app.kubernetes.io/component: cleanup - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -spec: - schedule: "*/10 * * * *" - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: 1 - failedJobsHistoryLimit: 1 - jobTemplate: - spec: - template: - metadata: - spec: - serviceAccountName: kyverno-cleanup-jobs - containers: - - name: cleanup - image: "bitnami/kubectl:1.28.5" - imagePullPolicy: - command: - - /bin/sh - - -c - - | - COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l) - if [ "$COUNT" -gt 10000 ]; then - echo "too many reports found ($COUNT), cleaning up..." - kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate' - else - echo "($COUNT) reports found, no clean up needed" - fi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: kyverno-cleanup-cluster-admission-reports - namespace: kyverno - labels: - app.kubernetes.io/component: cleanup - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.11.4 -spec: - schedule: "*/10 * * * *" - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: 1 - failedJobsHistoryLimit: 1 - jobTemplate: - spec: - template: - metadata: - spec: - serviceAccountName: kyverno-cleanup-jobs - containers: - - name: cleanup - image: "bitnami/kubectl:1.28.5" - imagePullPolicy: - command: - - /bin/sh - - -c - - | - COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l) - if [ "$COUNT" -gt 10000 ]; then - echo "too many reports found ($COUNT), cleaning up..." - kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate' - else - echo "($COUNT) reports found, no clean up needed" - fi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - restartPolicy: OnFailure diff --git a/carvel-packages/installer/bundle/config/ytt/values-schema.yaml b/carvel-packages/installer/bundle/config/ytt/values-schema.yaml index f5087e58..7b00af0c 100644 --- a/carvel-packages/installer/bundle/config/ytt/values-schema.yaml +++ b/carvel-packages/installer/bundle/config/ytt/values-schema.yaml @@ -317,5 +317,7 @@ imagePuller: #@schema/validation min_len=1 - "" #@schema/nullable -lookup: - enabled: true \ No newline at end of file +lookupService: + enabled: false + #@schema/nullable + ingressPrefix: "educates-api" \ No newline at end of file diff --git a/client-programs/pkg/config/installationconfig.go b/client-programs/pkg/config/installationconfig.go index 8110c0af..a435d493 100644 --- a/client-programs/pkg/config/installationconfig.go +++ b/client-programs/pkg/config/installationconfig.go @@ -251,8 +251,9 @@ type ImagePullerConfig struct { PrePullImages []string `yaml:"prePullImages,omitempty"` } -type LookupConfig struct { - Enabled *bool `yaml:"enabled"` +type LookupServiceConfig struct { + Enabled *bool `yaml:"enabled"` + IngressPrefix string `yaml:"ingressPrefix,omitempty"` } type ClusterEssentialsConfig struct { @@ -278,7 +279,7 @@ type TrainingPlatformConfig struct { WorkshopAnalytics WorkshopAnalyticsConfig `yaml:"workshopAnalytics,omitempty"` WebsiteStyling WebsiteStylingConfig `yaml:"websiteStyling,omitempty"` ImagePuller ImagePullerConfig `yaml:"imagePuller,omitempty"` - Lookup LookupConfig `yaml:"lookup,omitempty"` + LookupService LookupServiceConfig `yaml:"lookupService,omitempty"` } type InstallationConfig struct { @@ -303,7 +304,7 @@ type InstallationConfig struct { WorkshopAnalytics WorkshopAnalyticsConfig `yaml:"workshopAnalytics,omitempty"` WebsiteStyling WebsiteStylingConfig `yaml:"websiteStyling,omitempty"` ImagePuller ImagePullerConfig `yaml:"imagePuller,omitempty"` - Lookup LookupConfig `yaml:"lookup,omitempty"` + LookupService LookupServiceConfig `yaml:"lookupService,omitempty"` } type EducatesDomainStruct struct { From 149bf175fb0326932070e51ce662dd75a0bc0e35 Mon Sep 17 00:00:00 2001 From: Jorge Morales Pou Date: Wed, 7 Aug 2024 13:56:02 +0200 Subject: [PATCH 05/11] Infrastructure packages refactored --- .../custom/00-remove-toplevel-values.yaml | 2 +- .../10-default-settings-for-provider.yaml} | 15 ++++---- .../infrastructure/custom/10-defaults.yaml | 27 -------------- .../50-packages-enablement.yaml} | 4 +-- .../custom/80-copy-educates-config.yaml | 10 ++++++ .../infrastructure/custom/90-overlays.yaml | 26 ++++++++++++++ .../custom/99-remove-settings-disabled.yaml | 36 +++++++++++++++++++ .../_ytt_lib/infrastructure/custom/README.md | 3 +- .../infrastructure/custom/defaults.star | 4 +++ .../infrastructure/custom/educates.lib.yaml | 7 +++- .../infrastructure/custom/functions.star | 18 ++++++++++ .../eks/00-remove-toplevel-values.yaml | 2 +- ... => 10-default-settings-for-provider.yaml} | 19 +++++----- ...kages.yaml => 50-packages-enablement.yaml} | 4 +-- .../80-copy-educates-config.yaml} | 3 +- .../eks/99-remove-settings-disabled.yaml | 36 +++++++++++++++++++ .../_ytt_lib/infrastructure/eks/defaults.star | 10 ++++++ .../infrastructure/eks/educates.lib.yaml | 7 +++- .../infrastructure/eks/functions.star | 18 ++++++++++ .../generic/00-remove-toplevel-values.yaml | 2 +- .../10-default-settings-for-provider.yaml} | 15 ++++---- .../generic/50-all-packages.yaml | 15 -------- .../generic/50-packages-enablement.yaml | 10 ++++++ .../generic/80-copy-educates-config.yaml | 10 ++++++ .../generic/99-remove-settings-disabled.yaml | 36 +++++++++++++++++++ .../_ytt_lib/infrastructure/generic/README.md | 4 +++ .../infrastructure/generic/defaults.star | 6 ++++ .../infrastructure/generic/educates.lib.yaml | 10 ++++-- .../infrastructure/generic/functions.star | 18 ++++++++++ .../gke/00-remove-toplevel-values.yaml | 2 +- ... => 10-default-settings-for-provider.yaml} | 18 +++++----- .../50-packages-enablement.yaml} | 17 +-------- .../gke/80-copy-educates-config.yaml | 10 ++++++ .../gke/99-remove-settings-disabled.yaml | 36 +++++++++++++++++++ .../_ytt_lib/infrastructure/gke/defaults.star | 10 ++++++ .../infrastructure/gke/educates.lib.yaml | 7 +++- .../infrastructure/gke/functions.star | 18 ++++++++++ .../kind/00-remove-toplevel-values.yaml | 2 +- ... => 10-default-settings-for-provider.yaml} | 19 +++++----- .../kind/50-packages-enablement.yaml | 28 +++++++++++++++ .../kind/80-remove-settings-disabled.yaml | 32 +++++++++++++++++ .../kind/89-copy-educates-config.yaml | 10 ++++++ .../infrastructure/kind/90-overlays.yaml | 18 ++++------ .../95-remove-educates-settings-disabled.yaml | 12 +++++++ .../infrastructure/kind/defaults.star | 7 ++++ .../infrastructure/kind/educates.lib.yaml | 13 ++++--- .../infrastructure/kind/functions.star | 17 +++++++++ .../vcluster/00-remove-toplevel-values.yaml | 2 +- .../10-default-settings-for-provider.yaml | 31 ++++++++++++++++ ...kages.yaml => 50-packages-enablement.yaml} | 4 +-- .../vcluster/80-copy-educates-config.yaml | 10 ++++++ .../{99-overlays.yaml => 90-overlays.yaml} | 0 .../vcluster/99-remove-settings-disabled.yaml | 36 +++++++++++++++++++ .../infrastructure/vcluster/README.md | 6 ++++ .../infrastructure/vcluster/defaults.star | 4 +++ .../infrastructure/vcluster/educates.lib.yaml | 10 ++++-- .../infrastructure/vcluster/functions.star | 18 ++++++++++ 57 files changed, 631 insertions(+), 143 deletions(-) rename carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/{generic/10-defaults.yaml => custom/10-default-settings-for-provider.yaml} (50%) delete mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/10-defaults.yaml rename carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/{gke/50-all-packages.yaml => custom/50-packages-enablement.yaml} (91%) create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/80-copy-educates-config.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/90-overlays.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/99-remove-settings-disabled.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/defaults.star create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/functions.star rename carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/{10-defaults.yaml => 10-default-settings-for-provider.yaml} (78%) rename carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/{50-all-packages.yaml => 50-packages-enablement.yaml} (91%) rename carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/{kind/50-all-packages.yaml => eks/80-copy-educates-config.yaml} (76%) create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/99-remove-settings-disabled.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/defaults.star create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/functions.star rename carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/{vcluster/10-defaults.yaml => generic/10-default-settings-for-provider.yaml} (50%) delete mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/50-all-packages.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/50-packages-enablement.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/80-copy-educates-config.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/99-remove-settings-disabled.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/README.md create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/defaults.star create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/functions.star rename carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/{10-defaults.yaml => 10-default-settings-for-provider.yaml} (81%) rename carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/{custom/50-all-packages.yaml => gke/50-packages-enablement.yaml} (50%) create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/80-copy-educates-config.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/99-remove-settings-disabled.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/defaults.star create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/functions.star rename carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/{10-defaults.yaml => 10-default-settings-for-provider.yaml} (56%) create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/50-packages-enablement.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/80-remove-settings-disabled.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/89-copy-educates-config.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/95-remove-educates-settings-disabled.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/defaults.star create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/10-default-settings-for-provider.yaml rename carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/{50-all-packages.yaml => 50-packages-enablement.yaml} (91%) create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/80-copy-educates-config.yaml rename carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/{99-overlays.yaml => 90-overlays.yaml} (100%) create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/99-remove-settings-disabled.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/README.md create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/defaults.star create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/functions.star diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml index 8833f111..c64d2fda 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml @@ -45,4 +45,4 @@ websiteStyling: #@overlay/remove imagePuller: #@overlay/remove -lookupService: \ No newline at end of file +lookupService: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/10-defaults.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/10-default-settings-for-provider.yaml similarity index 50% rename from carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/10-defaults.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/10-default-settings-for-provider.yaml index c9fcc082..221ebf2c 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/10-defaults.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/10-default-settings-for-provider.yaml @@ -1,5 +1,6 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageEnableByDefault") #! This file contains default values for the custom infrastructure provider. #! These are the values that will be set if not overridden by the user. @@ -8,23 +9,23 @@ #@overlay/replace clusterPackages: contour: - enabled: false + enabled: #@ isClusterPackageEnableByDefault("contour") settings: {} cert-manager: - enabled: false + enabled: #@ isClusterPackageEnableByDefault("cert-manager") settings: {} external-dns: - enabled: false + enabled: #@ isClusterPackageEnableByDefault("external-dns") settings: {} certs: - enabled: false + enabled: #@ isClusterPackageEnableByDefault("certs") settings: {} kyverno: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("kyverno") settings: {} kapp-controller: - enabled: false + enabled: #@ isClusterPackageEnableByDefault("kapp-controller") settings: {} educates: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("educates") settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/10-defaults.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/10-defaults.yaml deleted file mode 100644 index ebfaee50..00000000 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/10-defaults.yaml +++ /dev/null @@ -1,27 +0,0 @@ -#@ load("@ytt:data", "data") -#@ load("@ytt:overlay", "overlay") - -#@overlay/match-child-defaults missing_ok=True -#@overlay/replace -clusterPackages: - contour: - enabled: false - settings: {} - cert-manager: - enabled: false - settings: {} - external-dns: - enabled: false - settings: {} - certs: - enabled: false - settings: {} - kyverno: - enabled: false - settings: {} - kapp-controller: - enabled: false - settings: {} - educates: - enabled: false - settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/50-all-packages.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/50-packages-enablement.yaml similarity index 91% rename from carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/50-all-packages.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/50-packages-enablement.yaml index 5e44f336..0a383ee3 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/50-all-packages.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/50-packages-enablement.yaml @@ -1,8 +1,7 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") -#@ load("educates.lib.yaml", "copy_all_educates_values") -#! This copies user provided values for the custom infrastructure provider. +#! This enables packages based on the user input #@overlay/match-child-defaults missing_ok=True clusterPackages: @@ -27,4 +26,3 @@ clusterPackages: educates: #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages.educates, "enabled"): enabled: #@ data.values.clusterPackages.educates.enabled - settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/80-copy-educates-config.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/80-copy-educates-config.yaml new file mode 100644 index 00000000..59fdcb48 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/80-copy-educates-config.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("educates.lib.yaml", "copy_all_educates_values") + +#! This copies user provided values for the custom infrastructure provider. + +#! #@overlay/match-child-defaults missing_ok=True +#! clusterPackages: +#! educates: +#! settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/90-overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/90-overlays.yaml new file mode 100644 index 00000000..27247f98 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/90-overlays.yaml @@ -0,0 +1,26 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "contour") and hasattr(data.values.clusterPackages.contour, "settings"): + settings: #@ data.values.clusterPackages.contour.settings + cert-manager: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "cert-manager") and hasattr(data.values.clusterPackages["cert-manager"], "settings"): + settings: #@ data.values.clusterPackages["cert-manager"].settings + external-dns: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "external-dns") and hasattr(data.values.clusterPackages["external-dns"], "settings"): + settings: #@ data.values.clusterPackages["external-dns"].settings + certs: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "certs") and hasattr(data.values.clusterPackages.certs, "settings"): + settings: #@ data.values.clusterPackages.certs.settings + kyverno: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "settings"): + settings: #@ data.values.clusterPackages.kyverno.settings + kapp-controller: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kapp-controller") and hasattr(data.values.clusterPackages["kapp-controller"], "settings"): + settings: #@ data.values.clusterPackages["kapp-controller"].settings + educates: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages["educates"], "settings"): + settings: #@ data.values.clusterPackages["educates"].settings diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/99-remove-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/99-remove-settings-disabled.yaml new file mode 100644 index 00000000..30db2e39 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/99-remove-settings-disabled.yaml @@ -0,0 +1,36 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end isClusterPackageExplicitDisabled("contour"): + #@overlay/replace + settings: {} + cert-manager: + #@ if/end isClusterPackageExplicitDisabled("cert-manager"): + #@overlay/replace + settings: {} + external-dns: + #@ if/end isClusterPackageExplicitDisabled("external-dns"): + #@overlay/replace + settings: {} + certs: + #@ if/end isClusterPackageExplicitDisabled("certs"): + #@overlay/replace + settings: {} + kyverno: + #@ if/end isClusterPackageExplicitDisabled("kyverno"): + #@overlay/replace + settings: {} + kapp-controller: + #@ if/end isClusterPackageExplicitDisabled("kapp-controller"): + #@overlay/replace + settings: {} + educates: + #@ if/end isClusterPackageExplicitDisabled("educates"): + #@overlay/replace + settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/README.md b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/README.md index f2e83a4c..03a04846 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/README.md +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/README.md @@ -1,4 +1,5 @@ # Custom For custom we only accept the clusterPackages configuration. All the other configuration will be discarded. -There's no default configuration being applied. \ No newline at end of file +There's no default configuration being applied. +Whatever main config is provided it will be discarded \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/defaults.star new file mode 100644 index 00000000..296e5924 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/defaults.star @@ -0,0 +1,4 @@ +load("@ytt:data", "data") + +enabledByDefaultPackagesList = [ +] \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml index 96bf208f..3cba7762 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml @@ -159,7 +159,12 @@ websiteStyling: #@ if/end hasattr(data.values.websiteStyling, "frameAncestors") and data.values.websiteStyling.frameAncestors != None: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: -imagePuller: #@ data.values.imagePuller +imagePuller: + enabled: #@ data.values.imagePuller.enabled + #@ if hasattr(data.values.imagePuller, "prePullImages") and data.values.imagePuller.prePullImages != None: + #@overlay/replace + prePullImages: #@ data.values.imagePuller.prePullImages + #@ end #@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: lookupService: #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/functions.star new file mode 100644 index 00000000..6a078759 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/functions.star @@ -0,0 +1,18 @@ +load("@ytt:data", "data") +load("defaults.star", "enabledByDefaultPackagesList") + +def isClusterPackageEnableByDefault(package): + return package in enabledByDefaultPackagesList +end + +def isClusterPackageEnabled(package): + if hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, package) and hasattr(data.values.clusterPackages[package], "enabled"): + return data.values.clusterPackages[package].enabled + else: + return package in enabledByDefaultPackagesList + end +end + +def isClusterPackageExplicitDisabled(package): + return not isClusterPackageEnabled(package) +end \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml index 8833f111..c64d2fda 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml @@ -45,4 +45,4 @@ websiteStyling: #@overlay/remove imagePuller: #@overlay/remove -lookupService: \ No newline at end of file +lookupService: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-defaults.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-default-settings-for-provider.yaml similarity index 78% rename from carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-defaults.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-default-settings-for-provider.yaml index 55ea3e52..1f050dd5 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-defaults.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-default-settings-for-provider.yaml @@ -1,6 +1,7 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") #@ load("@ytt:assert", "assert") +#@ load("functions.star", "isClusterPackageEnableByDefault") #@ (hasIrsaRoleExternalDns, _) = assert.try_to(lambda: len(data.values["clusterInfrastructure"]["aws"]["irsaRoles"]["external-dns"]) > 0) #@ if hasIrsaRoleExternalDns: @@ -21,7 +22,7 @@ #@overlay/replace clusterPackages: contour: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("contour") settings: infraProvider: aws configFileContents: @@ -33,13 +34,13 @@ clusterPackages: domains: - #@ data.values.clusterIngress.domain cert-manager: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("cert-manager") settings: serviceaccount: annotations: eks.amazonaws.com/role-arn: #@ certManagerIrsaRole external-dns: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("external-dns") settings: infraProvider: aws serviceaccount: @@ -50,25 +51,25 @@ clusterPackages: domain_filter: #@ data.values.clusterInfrastructure.aws.route53.hostedZone if hasattr(data.values.clusterInfrastructure.aws.route53, "hostedZone") else data.values.clusterIngress.domain txt_owner_id: "educates" certs: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("certs") settings: certProvider: acme-aws domains: - - #@ data.values.clusterIngress.domain + - #@ data.values.clusterIngress.domain acme: aws: certs: region: #@ data.values.clusterInfrastructure.aws.region kyverno: - enabled: #@ data.values.clusterSecurity.policyEngine == "kyverno" + enabled: #@ isClusterPackageEnableByDefault("kyverno") settings: {} kapp-controller: - enabled: false + enabled: #@ isClusterPackageEnableByDefault("kapp-controller") settings: {} educates: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("educates") settings: clusterIngress: tlsCertificateRef: namespace: projectcontour - name: educateswildcard \ No newline at end of file + name: educateswildcard diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/50-all-packages.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/50-packages-enablement.yaml similarity index 91% rename from carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/50-all-packages.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/50-packages-enablement.yaml index 5e44f336..0a383ee3 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/50-all-packages.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/50-packages-enablement.yaml @@ -1,8 +1,7 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") -#@ load("educates.lib.yaml", "copy_all_educates_values") -#! This copies user provided values for the custom infrastructure provider. +#! This enables packages based on the user input #@overlay/match-child-defaults missing_ok=True clusterPackages: @@ -27,4 +26,3 @@ clusterPackages: educates: #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages.educates, "enabled"): enabled: #@ data.values.clusterPackages.educates.enabled - settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/50-all-packages.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/80-copy-educates-config.yaml similarity index 76% rename from carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/50-all-packages.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/80-copy-educates-config.yaml index 1ec9023a..1afda1ac 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/50-all-packages.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/80-copy-educates-config.yaml @@ -2,8 +2,9 @@ #@ load("@ytt:overlay", "overlay") #@ load("educates.lib.yaml", "copy_all_educates_values") +#! This copies user provided values for the custom infrastructure provider. + #@overlay/match-child-defaults missing_ok=True clusterPackages: educates: settings: #@ copy_all_educates_values() - diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/99-remove-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/99-remove-settings-disabled.yaml new file mode 100644 index 00000000..25b8297c --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/99-remove-settings-disabled.yaml @@ -0,0 +1,36 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end isClusterPackageExplicitDisabled("contour"): + #@overlay/replace + settings: {} + cert-manager: + #@ if/end isClusterPackageExplicitDisabled("cert-manager"): + #@overlay/replace + settings: {} + external-dns: + #@ if/end isClusterPackageExplicitDisabled("external-dns"): + #@overlay/replace + settings: {} + certs: + #@ if/end isClusterPackageExplicitDisabled("certs"): + #@overlay/replace + settings: {} + kyverno: + #@ if/end isClusterPackageExplicitDisabled("kyverno"): + #@overlay/replace + settings: {} + kapp-controller: + #@ if/end isClusterPackageExplicitDisabled("kapp-controller"): + #@overlay/replace + settings: {} + #! educates: + #! #@ if/end isClusterPackageExplicitDisabled("educates"): + #! #@overlay/replace + #! settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/defaults.star new file mode 100644 index 00000000..6b948432 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/defaults.star @@ -0,0 +1,10 @@ +load("@ytt:data", "data") + +enabledByDefaultPackagesList = [ + "cert-manager", + "contour", + "external-dns", + "certs", + "kyverno", + "educates" +] \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml index 96bf208f..3cba7762 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml @@ -159,7 +159,12 @@ websiteStyling: #@ if/end hasattr(data.values.websiteStyling, "frameAncestors") and data.values.websiteStyling.frameAncestors != None: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: -imagePuller: #@ data.values.imagePuller +imagePuller: + enabled: #@ data.values.imagePuller.enabled + #@ if hasattr(data.values.imagePuller, "prePullImages") and data.values.imagePuller.prePullImages != None: + #@overlay/replace + prePullImages: #@ data.values.imagePuller.prePullImages + #@ end #@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: lookupService: #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/functions.star new file mode 100644 index 00000000..6a078759 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/functions.star @@ -0,0 +1,18 @@ +load("@ytt:data", "data") +load("defaults.star", "enabledByDefaultPackagesList") + +def isClusterPackageEnableByDefault(package): + return package in enabledByDefaultPackagesList +end + +def isClusterPackageEnabled(package): + if hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, package) and hasattr(data.values.clusterPackages[package], "enabled"): + return data.values.clusterPackages[package].enabled + else: + return package in enabledByDefaultPackagesList + end +end + +def isClusterPackageExplicitDisabled(package): + return not isClusterPackageEnabled(package) +end \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml index 8833f111..c64d2fda 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml @@ -45,4 +45,4 @@ websiteStyling: #@overlay/remove imagePuller: #@overlay/remove -lookupService: \ No newline at end of file +lookupService: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/10-defaults.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/10-default-settings-for-provider.yaml similarity index 50% rename from carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/10-defaults.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/10-default-settings-for-provider.yaml index c9fcc082..221ebf2c 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/10-defaults.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/10-default-settings-for-provider.yaml @@ -1,5 +1,6 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageEnableByDefault") #! This file contains default values for the custom infrastructure provider. #! These are the values that will be set if not overridden by the user. @@ -8,23 +9,23 @@ #@overlay/replace clusterPackages: contour: - enabled: false + enabled: #@ isClusterPackageEnableByDefault("contour") settings: {} cert-manager: - enabled: false + enabled: #@ isClusterPackageEnableByDefault("cert-manager") settings: {} external-dns: - enabled: false + enabled: #@ isClusterPackageEnableByDefault("external-dns") settings: {} certs: - enabled: false + enabled: #@ isClusterPackageEnableByDefault("certs") settings: {} kyverno: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("kyverno") settings: {} kapp-controller: - enabled: false + enabled: #@ isClusterPackageEnableByDefault("kapp-controller") settings: {} educates: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("educates") settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/50-all-packages.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/50-all-packages.yaml deleted file mode 100644 index a2744e59..00000000 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/50-all-packages.yaml +++ /dev/null @@ -1,15 +0,0 @@ -#@ load("@ytt:data", "data") -#@ load("@ytt:overlay", "overlay") -#@ load("educates.lib.yaml", "copy_all_educates_values") - -#! This copies user provided values for the custom infrastructure provider. -#! The generic provider only allows to enable/disable kyverno, and configure educates - -#@overlay/match-child-defaults missing_ok=True -clusterPackages: - kyverno: - #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "enabled"): - enabled: #@ data.values.clusterPackages.kyverno.enabled - educates: - #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages.educates, "enabled"): - settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/50-packages-enablement.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/50-packages-enablement.yaml new file mode 100644 index 00000000..8d4b7d34 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/50-packages-enablement.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#! This enables packages based on the user input + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + kyverno: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "enabled"): + enabled: #@ data.values.clusterPackages.kyverno.enabled \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/80-copy-educates-config.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/80-copy-educates-config.yaml new file mode 100644 index 00000000..1afda1ac --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/80-copy-educates-config.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("educates.lib.yaml", "copy_all_educates_values") + +#! This copies user provided values for the custom infrastructure provider. + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/99-remove-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/99-remove-settings-disabled.yaml new file mode 100644 index 00000000..25b8297c --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/99-remove-settings-disabled.yaml @@ -0,0 +1,36 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end isClusterPackageExplicitDisabled("contour"): + #@overlay/replace + settings: {} + cert-manager: + #@ if/end isClusterPackageExplicitDisabled("cert-manager"): + #@overlay/replace + settings: {} + external-dns: + #@ if/end isClusterPackageExplicitDisabled("external-dns"): + #@overlay/replace + settings: {} + certs: + #@ if/end isClusterPackageExplicitDisabled("certs"): + #@overlay/replace + settings: {} + kyverno: + #@ if/end isClusterPackageExplicitDisabled("kyverno"): + #@overlay/replace + settings: {} + kapp-controller: + #@ if/end isClusterPackageExplicitDisabled("kapp-controller"): + #@overlay/replace + settings: {} + #! educates: + #! #@ if/end isClusterPackageExplicitDisabled("educates"): + #! #@overlay/replace + #! settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/README.md b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/README.md new file mode 100644 index 00000000..d439c6d2 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/README.md @@ -0,0 +1,4 @@ +# vcluster +By default, only kyverno and educates will be installed +We only allow to enabling/disabling kyverno +We copy all educates main config to the clusterPackage diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/defaults.star new file mode 100644 index 00000000..e0e22857 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/defaults.star @@ -0,0 +1,6 @@ +load("@ytt:data", "data") + +enabledByDefaultPackagesList = [ + "kyverno", + "educates" +] \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml index 96bf208f..b721fccf 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml @@ -1,6 +1,5 @@ #@ load("@ytt:data", "data") -#! TODO: Customize certs name reference in eks #@ def copy_all_educates_values(): #@ if/end hasattr(data.values, "imageRegistry") and data.values.imageRegistry != None: @@ -72,7 +71,7 @@ trainingPortal: username: #@ data.values.trainingPortal.credentials.admin.username #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "password") and data.values.trainingPortal.credentials.admin.password != None: password: #@ data.values.trainingPortal.credentials.admin.password - #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.robot != None: + #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.admin != None: robot: #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "username") and data.values.trainingPortal.credentials.robot.username != None: username: #@ data.values.trainingPortal.credentials.robot.username @@ -159,7 +158,12 @@ websiteStyling: #@ if/end hasattr(data.values.websiteStyling, "frameAncestors") and data.values.websiteStyling.frameAncestors != None: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: -imagePuller: #@ data.values.imagePuller +imagePuller: + enabled: #@ data.values.imagePuller.enabled + #@ if hasattr(data.values.imagePuller, "prePullImages") and data.values.imagePuller.prePullImages != None: + #@overlay/replace + prePullImages: #@ data.values.imagePuller.prePullImages + #@ end #@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: lookupService: #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/functions.star new file mode 100644 index 00000000..6a078759 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/functions.star @@ -0,0 +1,18 @@ +load("@ytt:data", "data") +load("defaults.star", "enabledByDefaultPackagesList") + +def isClusterPackageEnableByDefault(package): + return package in enabledByDefaultPackagesList +end + +def isClusterPackageEnabled(package): + if hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, package) and hasattr(data.values.clusterPackages[package], "enabled"): + return data.values.clusterPackages[package].enabled + else: + return package in enabledByDefaultPackagesList + end +end + +def isClusterPackageExplicitDisabled(package): + return not isClusterPackageEnabled(package) +end \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml index 8833f111..c64d2fda 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml @@ -45,4 +45,4 @@ websiteStyling: #@overlay/remove imagePuller: #@overlay/remove -lookupService: \ No newline at end of file +lookupService: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-defaults.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-default-settings-for-provider.yaml similarity index 81% rename from carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-defaults.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-default-settings-for-provider.yaml index 514a76ca..2f091232 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-defaults.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-default-settings-for-provider.yaml @@ -1,6 +1,7 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") #@ load("@ytt:assert", "assert") +#@ load("functions.star", "isClusterPackageEnableByDefault") #@ (hasWorkloadIdentityExternalDns, _) = assert.try_to(lambda: len(data.values["clusterInfrastructure"]["gcp"]["workloadIdentity"]["external-dns"]) > 0) #@ if hasWorkloadIdentityExternalDns: @@ -16,12 +17,11 @@ #@ fail("cert-manager is enabled and can not be configured. Missing workloadIdentity") #@ end - #@overlay/match-child-defaults missing_ok=True #@overlay/replace clusterPackages: contour: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("contour") settings: infraProvider: gcp configFileContents: @@ -33,13 +33,13 @@ clusterPackages: domains: - #@ data.values.clusterIngress.domain cert-manager: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("cert-manager") settings: serviceaccount: annotations: iam.gke.io/gcp-service-account: #@ certManagerWorkloadIdentity external-dns: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("external-dns") settings: infraProvider: gcp serviceaccount: @@ -51,7 +51,7 @@ clusterPackages: domain_filter: #@ data.values.clusterInfrastructure.gcp.cloudDNS.zone if hasattr(data.values.clusterInfrastructure.gcp.cloudDNS, "zone") else data.values.clusterIngress.domain txt_owner_id: "educates" certs: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("certs") settings: certProvider: acme-gcp domains: @@ -60,15 +60,15 @@ clusterPackages: gcp: project: #@ data.values.clusterInfrastructure.gcp.project kyverno: - enabled: #@ data.values.clusterSecurity.policyEngine == "kyverno" + enabled: #@ isClusterPackageEnableByDefault("kyverno") settings: {} kapp-controller: - enabled: false + enabled: #@ isClusterPackageEnableByDefault("kapp-controller") settings: {} educates: - enabled: true + enabled: #@ isClusterPackageEnableByDefault("educates") settings: clusterIngress: tlsCertificateRef: namespace: projectcontour - name: educateswildcard \ No newline at end of file + name: educateswildcard diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/50-all-packages.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/50-packages-enablement.yaml similarity index 50% rename from carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/50-all-packages.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/50-packages-enablement.yaml index 748e7add..0a383ee3 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/50-all-packages.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/50-packages-enablement.yaml @@ -1,43 +1,28 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") -#@ load("educates.lib.yaml", "copy_all_educates_values") -#! This copies user provided values for the custom infrastructure provider. +#! This enables packages based on the user input #@overlay/match-child-defaults missing_ok=True clusterPackages: contour: #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "contour") and hasattr(data.values.clusterPackages.contour, "enabled"): enabled: #@ data.values.clusterPackages.contour.enabled - #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "contour") and hasattr(data.values.clusterPackages.contour, "settings"): - settings: #@ data.values.clusterPackages.contour.settings or {} cert-manager: #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "cert-manager") and hasattr(data.values.clusterPackages["cert-manager"], "enabled"): enabled: #@ data.values.clusterPackages["cert-manager"].enabled - #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "cert-manager") and hasattr(data.values.clusterPackages["cert-manager"], "settings"): - settings: #@ data.values.clusterPackages["cert-manager"].settings or {} external-dns: #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "external-dns") and hasattr(data.values.clusterPackages["external-dns"], "enabled"): enabled: #@ data.values.clusterPackages["external-dns"].enabled - #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "external-dns") and hasattr(data.values.clusterPackages["external-dns"], "settings"): - settings: #@ data.values.clusterPackages["external-dns"].settings or {} certs: #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "certs") and hasattr(data.values.clusterPackages.certs, "enabled"): enabled: #@ data.values.clusterPackages.certs.enabled - #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "certs") and hasattr(data.values.clusterPackages.certs, "settings"): - settings: #@ data.values.clusterPackages.certs.settings or {} kyverno: #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "enabled"): enabled: #@ data.values.clusterPackages.kyverno.enabled - #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "settings"): - settings: #@ data.values.clusterPackages.kyverno.settings or {} kapp-controller: #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kapp-controller") and hasattr(data.values.clusterPackages["kapp-controller"], "enabled"): enabled: #@ data.values.clusterPackages["kapp-controller"].enabled - #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kapp-controller") and hasattr(data.values.clusterPackages["kapp-controller"], "settings"): - settings: #@ data.values.clusterPackages["kapp-controller"].settings or {} educates: #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages.educates, "enabled"): enabled: #@ data.values.clusterPackages.educates.enabled - #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages.educates, "settings"): - settings: #@ data.values.clusterPackages.educates.settings or {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/80-copy-educates-config.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/80-copy-educates-config.yaml new file mode 100644 index 00000000..1afda1ac --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/80-copy-educates-config.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("educates.lib.yaml", "copy_all_educates_values") + +#! This copies user provided values for the custom infrastructure provider. + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/99-remove-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/99-remove-settings-disabled.yaml new file mode 100644 index 00000000..25b8297c --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/99-remove-settings-disabled.yaml @@ -0,0 +1,36 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end isClusterPackageExplicitDisabled("contour"): + #@overlay/replace + settings: {} + cert-manager: + #@ if/end isClusterPackageExplicitDisabled("cert-manager"): + #@overlay/replace + settings: {} + external-dns: + #@ if/end isClusterPackageExplicitDisabled("external-dns"): + #@overlay/replace + settings: {} + certs: + #@ if/end isClusterPackageExplicitDisabled("certs"): + #@overlay/replace + settings: {} + kyverno: + #@ if/end isClusterPackageExplicitDisabled("kyverno"): + #@overlay/replace + settings: {} + kapp-controller: + #@ if/end isClusterPackageExplicitDisabled("kapp-controller"): + #@overlay/replace + settings: {} + #! educates: + #! #@ if/end isClusterPackageExplicitDisabled("educates"): + #! #@overlay/replace + #! settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/defaults.star new file mode 100644 index 00000000..6b948432 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/defaults.star @@ -0,0 +1,10 @@ +load("@ytt:data", "data") + +enabledByDefaultPackagesList = [ + "cert-manager", + "contour", + "external-dns", + "certs", + "kyverno", + "educates" +] \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml index 96bf208f..3cba7762 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml @@ -159,7 +159,12 @@ websiteStyling: #@ if/end hasattr(data.values.websiteStyling, "frameAncestors") and data.values.websiteStyling.frameAncestors != None: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: -imagePuller: #@ data.values.imagePuller +imagePuller: + enabled: #@ data.values.imagePuller.enabled + #@ if hasattr(data.values.imagePuller, "prePullImages") and data.values.imagePuller.prePullImages != None: + #@overlay/replace + prePullImages: #@ data.values.imagePuller.prePullImages + #@ end #@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: lookupService: #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/functions.star new file mode 100644 index 00000000..6a078759 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/functions.star @@ -0,0 +1,18 @@ +load("@ytt:data", "data") +load("defaults.star", "enabledByDefaultPackagesList") + +def isClusterPackageEnableByDefault(package): + return package in enabledByDefaultPackagesList +end + +def isClusterPackageEnabled(package): + if hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, package) and hasattr(data.values.clusterPackages[package], "enabled"): + return data.values.clusterPackages[package].enabled + else: + return package in enabledByDefaultPackagesList + end +end + +def isClusterPackageExplicitDisabled(package): + return not isClusterPackageEnabled(package) +end \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml index 8833f111..c64d2fda 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml @@ -45,4 +45,4 @@ websiteStyling: #@overlay/remove imagePuller: #@overlay/remove -lookupService: \ No newline at end of file +lookupService: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/10-defaults.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/10-default-settings-for-provider.yaml similarity index 56% rename from carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/10-defaults.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/10-default-settings-for-provider.yaml index 74689983..0c03d83c 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/10-defaults.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/10-default-settings-for-provider.yaml @@ -1,7 +1,7 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "xgetattr", "isClusterPackageEnableByDefault") #@ load("educates.lib.yaml", "copy_all_educates_values") -#@ load("/functions.star", "xgetattr") #! This file contains default values for the custom infrastructure provider. #! These are the values that will be set if not overridden by the user. @@ -10,7 +10,7 @@ #@overlay/replace clusterPackages: contour: - enabled: #@ xgetattr(data.values, "clusterPackages.contour.enabled", True) + enabled: #@ isClusterPackageEnableByDefault("contour") settings: infraProvider: kind contour: @@ -22,21 +22,20 @@ clusterPackages: type: ClusterIP useHostPorts: true cert-manager: - enabled: #@ xgetattr(data.values, "clusterPackages.cert-manager.enabled", False) + enabled: #@ isClusterPackageEnableByDefault("cert-manager") settings: {} external-dns: - enabled: #@ xgetattr(data.values, "clusterPackages.external-dns.enabled", False) + enabled: #@ isClusterPackageEnableByDefault("external-dns") settings: {} certs: - enabled: #@ xgetattr(data.values, "clusterPackages.external-dns.enabled", False) + enabled: #@ isClusterPackageEnableByDefault("certs") settings: {} kyverno: - enabled: #@ xgetattr(data.values, "clusterPackages.kyverno.enabled", True) + enabled: #@ isClusterPackageEnableByDefault("kyverno") settings: {} kapp-controller: - enabled: #@ xgetattr(data.values, "clusterPackages.kapp-controller.enabled", False) + enabled: #@ isClusterPackageEnableByDefault("kapp-controller") settings: {} educates: - enabled: #@ xgetattr(data.values, "clusterPackages.educates.enabled", True) - settings: #@ xgetattr(data.values, "clusterPackages.educates.settings", {}) - + enabled: #@ isClusterPackageEnableByDefault("educates") + settings: #@ xgetattr(data.values, "clusterPackages.educates.settings") diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/50-packages-enablement.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/50-packages-enablement.yaml new file mode 100644 index 00000000..0a383ee3 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/50-packages-enablement.yaml @@ -0,0 +1,28 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#! This enables packages based on the user input + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "contour") and hasattr(data.values.clusterPackages.contour, "enabled"): + enabled: #@ data.values.clusterPackages.contour.enabled + cert-manager: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "cert-manager") and hasattr(data.values.clusterPackages["cert-manager"], "enabled"): + enabled: #@ data.values.clusterPackages["cert-manager"].enabled + external-dns: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "external-dns") and hasattr(data.values.clusterPackages["external-dns"], "enabled"): + enabled: #@ data.values.clusterPackages["external-dns"].enabled + certs: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "certs") and hasattr(data.values.clusterPackages.certs, "enabled"): + enabled: #@ data.values.clusterPackages.certs.enabled + kyverno: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "enabled"): + enabled: #@ data.values.clusterPackages.kyverno.enabled + kapp-controller: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kapp-controller") and hasattr(data.values.clusterPackages["kapp-controller"], "enabled"): + enabled: #@ data.values.clusterPackages["kapp-controller"].enabled + educates: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages.educates, "enabled"): + enabled: #@ data.values.clusterPackages.educates.enabled diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/80-remove-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/80-remove-settings-disabled.yaml new file mode 100644 index 00000000..c140d8f3 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/80-remove-settings-disabled.yaml @@ -0,0 +1,32 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end isClusterPackageExplicitDisabled("contour"): + #@overlay/replace + settings: {} + cert-manager: + #@ if/end isClusterPackageExplicitDisabled("cert-manager"): + #@overlay/replace + settings: {} + external-dns: + #@ if/end isClusterPackageExplicitDisabled("external-dns"): + #@overlay/replace + settings: {} + certs: + #@ if/end isClusterPackageExplicitDisabled("certs"): + #@overlay/replace + settings: {} + kyverno: + #@ if/end isClusterPackageExplicitDisabled("kyverno"): + #@overlay/replace + settings: {} + kapp-controller: + #@ if/end isClusterPackageExplicitDisabled("kapp-controller"): + #@overlay/replace + settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/89-copy-educates-config.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/89-copy-educates-config.yaml new file mode 100644 index 00000000..1afda1ac --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/89-copy-educates-config.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("educates.lib.yaml", "copy_all_educates_values") + +#! This copies user provided values for the custom infrastructure provider. + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/90-overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/90-overlays.yaml index 31dfa422..68ef912c 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/90-overlays.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/90-overlays.yaml @@ -1,23 +1,17 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") #@ load("@ytt:assert", "assert") -#@ load("/functions.star", "isGlobalCaCertificateRefEnabled", "xgetattr") - -#! This file is used to set the default values for the vcluster installation -#! Add to this file all the defaults that you don't want to be overidden by the user -#! These values will override all the values provided by the user either in the global configuration -#! or the clusterPackages.educates configuration +#@ load("/functions.star", "isGlobalCaCertificateRefEnabled") #@overlay/match-child-defaults missing_ok=True clusterPackages: +#@ if isGlobalCaCertificateRefEnabled(): cert-manager: - enabled: #@ isGlobalCaCertificateRefEnabled() - #@ if/end isGlobalCaCertificateRefEnabled(): + enabled: true settings: clusterResourceNamespace: #@ data.values.clusterInfrastructure.caCertificateRef.namespace certs: - enabled: #@ isGlobalCaCertificateRefEnabled() - #@ if/end isGlobalCaCertificateRefEnabled(): + enabled: true settings: domains: - #@ data.values.clusterIngress.domain @@ -29,13 +23,13 @@ clusterPackages: wildcardCertificateNamespace: #@ data.values.clusterInfrastructure.caCertificateRef.namespace certmanagerClusterResourceNamespace: #@ data.values.clusterInfrastructure.caCertificateRef.namespace educates: + enabled: true settings: clusterIngress: - #@ if isGlobalCaCertificateRefEnabled(): caCertificateRef: namespace: #@ data.values.clusterInfrastructure.caCertificateRef.namespace name: #@ data.values.clusterInfrastructure.caCertificateRef.name #! NOTE: Nodes Operating System must be based of Debian in order to allow NodeInjector caNodeInjector: enabled: true - #@ end +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/95-remove-educates-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/95-remove-educates-settings-disabled.yaml new file mode 100644 index 00000000..4c013ef9 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/95-remove-educates-settings-disabled.yaml @@ -0,0 +1,12 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + #@ if/end isClusterPackageExplicitDisabled("educates"): + #@overlay/replace + settings: {} \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/defaults.star new file mode 100644 index 00000000..84dc02e4 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/defaults.star @@ -0,0 +1,7 @@ +load("@ytt:data", "data") + +enabledByDefaultPackagesList = [ + "contour", + "kyverno", + "educates" +] \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml index 96bf208f..2bfa409a 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml @@ -1,6 +1,5 @@ #@ load("@ytt:data", "data") -#! TODO: Customize certs name reference in eks #@ def copy_all_educates_values(): #@ if/end hasattr(data.values, "imageRegistry") and data.values.imageRegistry != None: @@ -29,11 +28,10 @@ clusterIngress: tls.crt: #@ data.values.clusterIngress.tlsCertificate["tls.crt"] #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.key") and data.values.clusterIngress.tlsCertificate["tls.key"] != None: tls.key: #@ data.values.clusterIngress.tlsCertificate["tls.key"] - #! TODO: Customize certs name reference in eks - #! projectcontour/wildcard #@ if/end hasattr(data.values.clusterIngress, "tlsCertificateRef") and data.values.clusterIngress.tlsCertificateRef != None: tlsCertificateRef: - namespace: #@ (hasattr(data.values.clusterIngress.tlsCertificateRef, "namespace") and data.values.clusterIngress.tlsCertificateRef.namespace != None) and data.values.clusterIngress.tlsCertificateRef.namespace or "projectcontour" + #@ if/end hasattr(data.values.clusterIngress.tlsCertificateRef, "namespace") and data.values.clusterIngress.tlsCertificateRef.namespace != None: + namespace: #@ data.values.clusterIngress.tlsCertificateRef.namespace #@ if/end hasattr(data.values.clusterIngress.tlsCertificateRef, "name") and data.values.clusterIngress.tlsCertificateRef.name != None: name: #@ data.values.clusterIngress.tlsCertificateRef.name #@ if/end hasattr(data.values.clusterIngress, "caCertificate") and data.values.clusterIngress.caCertificate != None: @@ -159,7 +157,12 @@ websiteStyling: #@ if/end hasattr(data.values.websiteStyling, "frameAncestors") and data.values.websiteStyling.frameAncestors != None: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: -imagePuller: #@ data.values.imagePuller +imagePuller: + enabled: #@ data.values.imagePuller.enabled + #@ if hasattr(data.values.imagePuller, "prePullImages") and data.values.imagePuller.prePullImages != None: + #@overlay/replace + prePullImages: #@ data.values.imagePuller.prePullImages + #@ end #@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: lookupService: #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/functions.star index 0ebd0791..77457420 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/functions.star +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/functions.star @@ -1,4 +1,21 @@ load("@ytt:data", "data") +load("defaults.star", "enabledByDefaultPackagesList") + +def isClusterPackageEnableByDefault(package): + return package in enabledByDefaultPackagesList +end + +def isClusterPackageEnabled(package): + if hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, package) and hasattr(data.values.clusterPackages[package], "enabled"): + return data.values.clusterPackages[package].enabled + else: + return package in enabledByDefaultPackagesList + end +end + +def isClusterPackageExplicitDisabled(package): + return not isClusterPackageEnabled(package) +end def isGlobalCaCertificateRefEnabled(): return (hasattr(data.values.clusterInfrastructure, "caCertificateRef") and diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml index 8833f111..c64d2fda 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml @@ -45,4 +45,4 @@ websiteStyling: #@overlay/remove imagePuller: #@overlay/remove -lookupService: \ No newline at end of file +lookupService: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/10-default-settings-for-provider.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/10-default-settings-for-provider.yaml new file mode 100644 index 00000000..221ebf2c --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/10-default-settings-for-provider.yaml @@ -0,0 +1,31 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageEnableByDefault") + +#! This file contains default values for the custom infrastructure provider. +#! These are the values that will be set if not overridden by the user. + +#@overlay/match-child-defaults missing_ok=True +#@overlay/replace +clusterPackages: + contour: + enabled: #@ isClusterPackageEnableByDefault("contour") + settings: {} + cert-manager: + enabled: #@ isClusterPackageEnableByDefault("cert-manager") + settings: {} + external-dns: + enabled: #@ isClusterPackageEnableByDefault("external-dns") + settings: {} + certs: + enabled: #@ isClusterPackageEnableByDefault("certs") + settings: {} + kyverno: + enabled: #@ isClusterPackageEnableByDefault("kyverno") + settings: {} + kapp-controller: + enabled: #@ isClusterPackageEnableByDefault("kapp-controller") + settings: {} + educates: + enabled: #@ isClusterPackageEnableByDefault("educates") + settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/50-all-packages.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/50-packages-enablement.yaml similarity index 91% rename from carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/50-all-packages.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/50-packages-enablement.yaml index dddeec98..2080d7d4 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/50-all-packages.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/50-packages-enablement.yaml @@ -1,8 +1,7 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") -#@ load("educates.lib.yaml", "copy_all_educates_values") -#! This copies user provided values for the custom infrastructure provider. +#! This enables packages based on the user input #@overlay/match-child-defaults missing_ok=True clusterPackages: @@ -27,4 +26,3 @@ clusterPackages: educates: #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages.educates, "enabled"): enabled: #@ data.values.clusterPackages.educates.enabled - settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/80-copy-educates-config.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/80-copy-educates-config.yaml new file mode 100644 index 00000000..1afda1ac --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/80-copy-educates-config.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("educates.lib.yaml", "copy_all_educates_values") + +#! This copies user provided values for the custom infrastructure provider. + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/99-overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/90-overlays.yaml similarity index 100% rename from carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/99-overlays.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/90-overlays.yaml diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/99-remove-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/99-remove-settings-disabled.yaml new file mode 100644 index 00000000..25b8297c --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/99-remove-settings-disabled.yaml @@ -0,0 +1,36 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end isClusterPackageExplicitDisabled("contour"): + #@overlay/replace + settings: {} + cert-manager: + #@ if/end isClusterPackageExplicitDisabled("cert-manager"): + #@overlay/replace + settings: {} + external-dns: + #@ if/end isClusterPackageExplicitDisabled("external-dns"): + #@overlay/replace + settings: {} + certs: + #@ if/end isClusterPackageExplicitDisabled("certs"): + #@overlay/replace + settings: {} + kyverno: + #@ if/end isClusterPackageExplicitDisabled("kyverno"): + #@overlay/replace + settings: {} + kapp-controller: + #@ if/end isClusterPackageExplicitDisabled("kapp-controller"): + #@overlay/replace + settings: {} + #! educates: + #! #@ if/end isClusterPackageExplicitDisabled("educates"): + #! #@overlay/replace + #! settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/README.md b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/README.md new file mode 100644 index 00000000..360ccfe9 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/README.md @@ -0,0 +1,6 @@ +# generic +By default, only kyverno and educates will be installed +We only allow to enabling/disabling packages at users' risk (except for contour and lookup-service) +No configuration is provided for these packages. + +TODO: Revisit the configuration for some of the packages. Should we allow for enabling external-dns, certs,...? \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/defaults.star new file mode 100644 index 00000000..296e5924 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/defaults.star @@ -0,0 +1,4 @@ +load("@ytt:data", "data") + +enabledByDefaultPackagesList = [ +] \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml index 96bf208f..b721fccf 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml @@ -1,6 +1,5 @@ #@ load("@ytt:data", "data") -#! TODO: Customize certs name reference in eks #@ def copy_all_educates_values(): #@ if/end hasattr(data.values, "imageRegistry") and data.values.imageRegistry != None: @@ -72,7 +71,7 @@ trainingPortal: username: #@ data.values.trainingPortal.credentials.admin.username #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "password") and data.values.trainingPortal.credentials.admin.password != None: password: #@ data.values.trainingPortal.credentials.admin.password - #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.robot != None: + #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.admin != None: robot: #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "username") and data.values.trainingPortal.credentials.robot.username != None: username: #@ data.values.trainingPortal.credentials.robot.username @@ -159,7 +158,12 @@ websiteStyling: #@ if/end hasattr(data.values.websiteStyling, "frameAncestors") and data.values.websiteStyling.frameAncestors != None: frameAncestors: #@ data.values.websiteStyling.frameAncestors #@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: -imagePuller: #@ data.values.imagePuller +imagePuller: + enabled: #@ data.values.imagePuller.enabled + #@ if hasattr(data.values.imagePuller, "prePullImages") and data.values.imagePuller.prePullImages != None: + #@overlay/replace + prePullImages: #@ data.values.imagePuller.prePullImages + #@ end #@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: lookupService: #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/functions.star new file mode 100644 index 00000000..6a078759 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/functions.star @@ -0,0 +1,18 @@ +load("@ytt:data", "data") +load("defaults.star", "enabledByDefaultPackagesList") + +def isClusterPackageEnableByDefault(package): + return package in enabledByDefaultPackagesList +end + +def isClusterPackageEnabled(package): + if hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, package) and hasattr(data.values.clusterPackages[package], "enabled"): + return data.values.clusterPackages[package].enabled + else: + return package in enabledByDefaultPackagesList + end +end + +def isClusterPackageExplicitDisabled(package): + return not isClusterPackageEnabled(package) +end \ No newline at end of file From 67699ec855e522992397b0b0251ddc7f51bad6db Mon Sep 17 00:00:00 2001 From: Jorge Morales Pou Date: Wed, 7 Aug 2024 17:08:24 +0200 Subject: [PATCH 06/11] eks and gke fixed and scenarios added --- .../eks/10-default-settings-for-provider.yaml | 8 +-- .../infrastructure/eks/12-overlays.yaml | 10 +++ .../infrastructure/eks/functions.star | 19 +++++- .../gke/10-default-settings-for-provider.yaml | 9 +-- .../infrastructure/gke/12-overlays.yaml | 10 +++ .../infrastructure/gke/functions.star | 19 +++++- .../infrastructure/vcluster/defaults.star | 2 + .../test-custom-scenario-1/expected.yaml | 6 +- .../test-custom-scenario-2/expected.yaml | 6 +- .../test-custom-scenario-3/expected.yaml | 6 +- .../eks/test-eks-scenario-03/expected.yaml | 35 ++--------- .../eks/test-eks-scenario-04/description.md | 2 + .../eks/test-eks-scenario-04/expected.yaml | 60 ++++++++++++++++++ .../eks/test-eks-scenario-04/values.yaml | 15 +++++ .../eks/test-eks-scenario-04b/description.md | 2 + .../eks/test-eks-scenario-04b/expected.yaml | 61 +++++++++++++++++++ .../eks/test-eks-scenario-04b/values.yaml | 16 +++++ .../eks/test-eks-scenario-04c/description.md | 3 + .../eks/test-eks-scenario-04c/expected.yaml | 61 +++++++++++++++++++ .../eks/test-eks-scenario-04c/values.yaml | 22 +++++++ .../eks/test-eks-scenario-04d/description.md | 3 + .../eks/test-eks-scenario-04d/expected.yaml | 61 +++++++++++++++++++ .../eks/test-eks-scenario-04d/values.yaml | 21 +++++++ .../gke/test-gke-scenario-03/expected.yaml | 35 ++--------- .../gke/test-gke-scenario-04/description.md | 2 + .../gke/test-gke-scenario-04/expected.yaml | 60 ++++++++++++++++++ .../gke/test-gke-scenario-04/values.yaml | 15 +++++ .../gke/test-gke-scenario-04b/description.md | 2 + .../gke/test-gke-scenario-04b/expected.yaml | 61 +++++++++++++++++++ .../gke/test-gke-scenario-04b/values.yaml | 16 +++++ .../gke/test-gke-scenario-04c/description.md | 3 + .../gke/test-gke-scenario-04c/expected.yaml | 61 +++++++++++++++++++ .../gke/test-gke-scenario-04c/values.yaml | 22 +++++++ .../gke/test-gke-scenario-04d/description.md | 3 + .../gke/test-gke-scenario-04d/expected.yaml | 61 +++++++++++++++++++ .../gke/test-gke-scenario-04d/values.yaml | 21 +++++++ .../kind/test-kind-scenario-01c/expected.yaml | 8 +-- .../test-kind-scenario-01d/description.md | 2 + .../kind/test-kind-scenario-01d/expected.yaml | 39 ++++++++++++ .../kind/test-kind-scenario-01d/values.yaml | 9 +++ .../test-kind-scenario-01e/description.md | 2 + .../kind/test-kind-scenario-01e/expected.yaml | 40 ++++++++++++ .../kind/test-kind-scenario-01e/values.yaml | 14 +++++ .../test-kind-scenario-01f/description.md | 3 + .../kind/test-kind-scenario-01f/expected.yaml | 40 ++++++++++++ .../kind/test-kind-scenario-01f/values.yaml | 15 +++++ .../kind/test-kind-scenario-08/expected.yaml | 8 +-- .../kind/test-kind-scenario-08b/expected.yaml | 8 +-- .../kind/test-kind-scenario-08c/expected.yaml | 17 +----- .../kind/test-kind-scenario-08d/expected.yaml | 17 +----- .../test-kind-scenario-12c/description.md | 2 + .../kind/test-kind-scenario-12c/expected.yaml | 40 ++++++++++++ .../kind/test-kind-scenario-12c/values.yaml | 16 +++++ .../kind/test-kind-scenario-13/description.md | 2 +- .../installer/scenarios/test-scenarios.sh | 16 +++-- 55 files changed, 968 insertions(+), 149 deletions(-) create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/12-overlays.yaml create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/12-overlays.yaml create mode 100644 carvel-packages/installer/scenarios/eks/test-eks-scenario-04/description.md create mode 100644 carvel-packages/installer/scenarios/eks/test-eks-scenario-04/expected.yaml create mode 100644 carvel-packages/installer/scenarios/eks/test-eks-scenario-04/values.yaml create mode 100644 carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/description.md create mode 100644 carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/expected.yaml create mode 100644 carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/values.yaml create mode 100644 carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/description.md create mode 100644 carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/expected.yaml create mode 100644 carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/values.yaml create mode 100644 carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/description.md create mode 100644 carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/expected.yaml create mode 100644 carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/values.yaml create mode 100644 carvel-packages/installer/scenarios/gke/test-gke-scenario-04/description.md create mode 100644 carvel-packages/installer/scenarios/gke/test-gke-scenario-04/expected.yaml create mode 100644 carvel-packages/installer/scenarios/gke/test-gke-scenario-04/values.yaml create mode 100644 carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/description.md create mode 100644 carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/expected.yaml create mode 100644 carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/values.yaml create mode 100644 carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/description.md create mode 100644 carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/expected.yaml create mode 100644 carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/values.yaml create mode 100644 carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/description.md create mode 100644 carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/expected.yaml create mode 100644 carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/values.yaml create mode 100644 carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/description.md create mode 100644 carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/expected.yaml create mode 100644 carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/values.yaml create mode 100644 carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/description.md create mode 100644 carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/expected.yaml create mode 100644 carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/values.yaml create mode 100644 carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/description.md create mode 100644 carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/expected.yaml create mode 100644 carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/values.yaml create mode 100644 carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/description.md create mode 100644 carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/expected.yaml create mode 100644 carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/values.yaml diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-default-settings-for-provider.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-default-settings-for-provider.yaml index 1f050dd5..81adfc85 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-default-settings-for-provider.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-default-settings-for-provider.yaml @@ -1,7 +1,7 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") #@ load("@ytt:assert", "assert") -#@ load("functions.star", "isClusterPackageEnableByDefault") +#@ load("functions.star", "isClusterPackageEnableByDefault", "xgetattr") #@ (hasIrsaRoleExternalDns, _) = assert.try_to(lambda: len(data.values["clusterInfrastructure"]["aws"]["irsaRoles"]["external-dns"]) > 0) #@ if hasIrsaRoleExternalDns: @@ -68,8 +68,4 @@ clusterPackages: settings: {} educates: enabled: #@ isClusterPackageEnableByDefault("educates") - settings: - clusterIngress: - tlsCertificateRef: - namespace: projectcontour - name: educateswildcard + settings: #@ xgetattr(data.values, "clusterPackages.educates.settings") diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/12-overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/12-overlays.yaml new file mode 100644 index 00000000..43314cca --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/12-overlays.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:overlay", "overlay") + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/functions.star index 6a078759..2c5b8bf2 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/functions.star +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/functions.star @@ -15,4 +15,21 @@ end def isClusterPackageExplicitDisabled(package): return not isClusterPackageEnabled(package) -end \ No newline at end of file +end + +def xgetattr(object, path, default=None): + def _lookup(object, key, default=None): + keys = key.split(".") + value = default + for key in keys: + value = getattr(object, key, None) + if value == None: + return default + end + object = value + end + return value + end + + return _lookup(object, path, default) +end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-default-settings-for-provider.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-default-settings-for-provider.yaml index 2f091232..d71e02bd 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-default-settings-for-provider.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-default-settings-for-provider.yaml @@ -1,7 +1,7 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") #@ load("@ytt:assert", "assert") -#@ load("functions.star", "isClusterPackageEnableByDefault") +#@ load("functions.star", "isClusterPackageEnableByDefault", "xgetattr") #@ (hasWorkloadIdentityExternalDns, _) = assert.try_to(lambda: len(data.values["clusterInfrastructure"]["gcp"]["workloadIdentity"]["external-dns"]) > 0) #@ if hasWorkloadIdentityExternalDns: @@ -67,8 +67,5 @@ clusterPackages: settings: {} educates: enabled: #@ isClusterPackageEnableByDefault("educates") - settings: - clusterIngress: - tlsCertificateRef: - namespace: projectcontour - name: educateswildcard + settings: #@ xgetattr(data.values, "clusterPackages.educates.settings") + diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/12-overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/12-overlays.yaml new file mode 100644 index 00000000..43314cca --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/12-overlays.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:overlay", "overlay") + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/functions.star index 6a078759..2c5b8bf2 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/functions.star +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/functions.star @@ -15,4 +15,21 @@ end def isClusterPackageExplicitDisabled(package): return not isClusterPackageEnabled(package) -end \ No newline at end of file +end + +def xgetattr(object, path, default=None): + def _lookup(object, key, default=None): + keys = key.split(".") + value = default + for key in keys: + value = getattr(object, key, None) + if value == None: + return default + end + object = value + end + return value + end + + return _lookup(object, path, default) +end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/defaults.star index 296e5924..8d7aa8e0 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/defaults.star +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/defaults.star @@ -1,4 +1,6 @@ load("@ytt:data", "data") enabledByDefaultPackagesList = [ + "kyverno", + "educates" ] \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/expected.yaml b/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/expected.yaml index f9da4c6f..ed9abc10 100644 --- a/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/expected.yaml +++ b/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/expected.yaml @@ -10,11 +10,7 @@ clusterPackages: cert-manager.custom: "true" external-dns: enabled: false - settings: - infraProvider: gcp - gcp: - args: - project: PROJECT_ID + settings: {} certs: enabled: false settings: {} diff --git a/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/expected.yaml b/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/expected.yaml index 1eda8ce9..ca3f5709 100644 --- a/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/expected.yaml +++ b/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/expected.yaml @@ -10,11 +10,7 @@ clusterPackages: cert-manager.custom: "true" external-dns: enabled: false - settings: - infraProvider: gcp - gcp: - args: - project: PROJECT_ID + settings: {} certs: enabled: false settings: {} diff --git a/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/expected.yaml b/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/expected.yaml index 7511f64a..1676ca2b 100644 --- a/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/expected.yaml +++ b/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/expected.yaml @@ -13,11 +13,7 @@ clusterPackages: cert-manager.custom: "true" external-dns: enabled: false - settings: - infraProvider: gcp - gcp: - args: - project: PROJECT_ID + settings: {} certs: enabled: false settings: {} diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/expected.yaml index 68a3cbd1..0adf75f6 100644 --- a/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/expected.yaml +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/expected.yaml @@ -1,43 +1,16 @@ clusterPackages: contour: enabled: false - settings: - infraProvider: aws - configFileContents: - defaultHttpVersions: - - HTTP/1.1 - service: - type: LoadBalancer - externaldns: - domains: - - educates.example.com + settings: {} cert-manager: enabled: false - settings: - serviceaccount: - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/cert-manager + settings: {} external-dns: enabled: false - settings: - infraProvider: aws - serviceaccount: - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-dns - aws: - args: - domain_filter: example.com - txt_owner_id: educates + settings: {} certs: enabled: false - settings: - certProvider: acme-aws - domains: - - educates.example.com - acme: - aws: - certs: - region: eu-west-1 + settings: {} kyverno: enabled: true settings: {} diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/description.md b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/description.md new file mode 100644 index 00000000..cfd1fb92 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/description.md @@ -0,0 +1,2 @@ +eks integrating with Route53 to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/expected.yaml new file mode 100644 index 00000000..49994de5 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/expected.yaml @@ -0,0 +1,60 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: aws + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/cert-manager + external-dns: + enabled: true + settings: + infraProvider: aws + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-dns + aws: + args: + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-aws + domains: + - educates.example.com + acme: + aws: + certs: + region: eu-west-1 + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/values.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/values.yaml new file mode 100644 index 00000000..1d60959b --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/values.yaml @@ -0,0 +1,15 @@ +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + route53: + hostedZone: "example.com" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/description.md b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/description.md new file mode 100644 index 00000000..16e4b311 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/description.md @@ -0,0 +1,2 @@ +eks integrating with Route53 to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService with alternate ingressPrefix diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/expected.yaml new file mode 100644 index 00000000..d73aeee7 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/expected.yaml @@ -0,0 +1,61 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: aws + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/cert-manager + external-dns: + enabled: true + settings: + infraProvider: aws + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-dns + aws: + args: + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-aws + domains: + - educates.example.com + acme: + aws: + certs: + region: eu-west-1 + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/values.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/values.yaml new file mode 100644 index 00000000..e5a4dc71 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/values.yaml @@ -0,0 +1,16 @@ +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + route53: + hostedZone: "example.com" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/description.md b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/description.md new file mode 100644 index 00000000..f3c38bb6 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/description.md @@ -0,0 +1,3 @@ +eks integrating with Route53 to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService with alternate ingressPrefix globally +We enable LookupService in clusterPackages with other ingressPrefix that should be discarded diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/expected.yaml new file mode 100644 index 00000000..d73aeee7 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/expected.yaml @@ -0,0 +1,61 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: aws + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/cert-manager + external-dns: + enabled: true + settings: + infraProvider: aws + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-dns + aws: + args: + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-aws + domains: + - educates.example.com + acme: + aws: + certs: + region: eu-west-1 + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/values.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/values.yaml new file mode 100644 index 00000000..8d11157d --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/values.yaml @@ -0,0 +1,22 @@ +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + route53: + hostedZone: "example.com" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterPackages: + educates: + settings: + lookupService: + enabled: true + ingressPrefix: THIS_NOT +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/description.md b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/description.md new file mode 100644 index 00000000..cf650263 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/description.md @@ -0,0 +1,3 @@ +eks integrating with Route53 to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService with no ingressPrefix +We enable LookupService in clusterPackages with other ingressPrefix that should be REMAIN diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/expected.yaml new file mode 100644 index 00000000..5cdfaadc --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/expected.yaml @@ -0,0 +1,61 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: aws + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/cert-manager + external-dns: + enabled: true + settings: + infraProvider: aws + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-dns + aws: + args: + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-aws + domains: + - educates.example.com + acme: + aws: + certs: + region: eu-west-1 + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_STAY diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/values.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/values.yaml new file mode 100644 index 00000000..84b789f2 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/values.yaml @@ -0,0 +1,21 @@ +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + route53: + hostedZone: "example.com" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterPackages: + educates: + settings: + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_STAY +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/expected.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/expected.yaml index 7cb716b9..0adf75f6 100644 --- a/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/expected.yaml +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/expected.yaml @@ -1,43 +1,16 @@ clusterPackages: contour: enabled: false - settings: - infraProvider: gcp - configFileContents: - defaultHttpVersions: - - HTTP/1.1 - service: - type: LoadBalancer - externaldns: - domains: - - educates.example.com + settings: {} cert-manager: enabled: false - settings: - serviceaccount: - annotations: - iam.gke.io/gcp-service-account: cert-manager@my-project.iam.gserviceaccount.com + settings: {} external-dns: enabled: false - settings: - infraProvider: gcp - serviceaccount: - annotations: - iam.gke.io/gcp-service-account: external-dns@my-project.iam.gserviceaccount.com - gcp: - args: - project: my-project - domain_filter: example.com - txt_owner_id: educates + settings: {} certs: enabled: false - settings: - certProvider: acme-gcp - domains: - - educates.example.com - acme: - gcp: - project: my-project + settings: {} kyverno: enabled: true settings: {} diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/description.md b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/description.md new file mode 100644 index 00000000..d5998c85 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/description.md @@ -0,0 +1,2 @@ +gke integrating with Cloud DNS to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/expected.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/expected.yaml new file mode 100644 index 00000000..acea7bbd --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/expected.yaml @@ -0,0 +1,60 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: gcp + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: cert-manager@my-project.iam.gserviceaccount.com + external-dns: + enabled: true + settings: + infraProvider: gcp + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: external-dns@my-project.iam.gserviceaccount.com + gcp: + args: + project: my-project + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-gcp + domains: + - educates.example.com + acme: + gcp: + project: my-project + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/values.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/values.yaml new file mode 100644 index 00000000..cd0cc699 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/values.yaml @@ -0,0 +1,15 @@ +clusterInfrastructure: + provider: "gke" + gcp: + project: "my-project" + cloudDNS: + zone: "example.com" + workloadIdentity: + external-dns: "external-dns@my-project.iam.gserviceaccount.com" + cert-manager: "cert-manager@my-project.iam.gserviceaccount.com" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/description.md b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/description.md new file mode 100644 index 00000000..6b66805e --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/description.md @@ -0,0 +1,2 @@ +gke integrating with Cloud DNS to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService with alternate ingressPrefix diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/expected.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/expected.yaml new file mode 100644 index 00000000..e60e782f --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/expected.yaml @@ -0,0 +1,61 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: gcp + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: cert-manager@my-project.iam.gserviceaccount.com + external-dns: + enabled: true + settings: + infraProvider: gcp + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: external-dns@my-project.iam.gserviceaccount.com + gcp: + args: + project: my-project + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-gcp + domains: + - educates.example.com + acme: + gcp: + project: my-project + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/values.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/values.yaml new file mode 100644 index 00000000..ab77250d --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/values.yaml @@ -0,0 +1,16 @@ +clusterInfrastructure: + provider: "gke" + gcp: + project: "my-project" + cloudDNS: + zone: "example.com" + workloadIdentity: + external-dns: "external-dns@my-project.iam.gserviceaccount.com" + cert-manager: "cert-manager@my-project.iam.gserviceaccount.com" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/description.md b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/description.md new file mode 100644 index 00000000..2c06a3a7 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/description.md @@ -0,0 +1,3 @@ +gke integrating with Cloud DNS to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService with alternate ingressPrefix globally +We enable LookupService in clusterPackages with other ingressPrefix that should be discarded diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/expected.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/expected.yaml new file mode 100644 index 00000000..e60e782f --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/expected.yaml @@ -0,0 +1,61 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: gcp + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: cert-manager@my-project.iam.gserviceaccount.com + external-dns: + enabled: true + settings: + infraProvider: gcp + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: external-dns@my-project.iam.gserviceaccount.com + gcp: + args: + project: my-project + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-gcp + domains: + - educates.example.com + acme: + gcp: + project: my-project + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/values.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/values.yaml new file mode 100644 index 00000000..5f9aeec7 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/values.yaml @@ -0,0 +1,22 @@ +clusterInfrastructure: + provider: "gke" + gcp: + project: "my-project" + cloudDNS: + zone: "example.com" + workloadIdentity: + external-dns: "external-dns@my-project.iam.gserviceaccount.com" + cert-manager: "cert-manager@my-project.iam.gserviceaccount.com" +clusterPackages: + educates: + settings: + lookupService: + enabled: true + ingressPrefix: THIS_NOT +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/description.md b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/description.md new file mode 100644 index 00000000..f94ea1c4 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/description.md @@ -0,0 +1,3 @@ +gke integrating with Cloud DNS to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService with no ingressPrefix +We enable LookupService in clusterPackages with other ingressPrefix that should be REMAIN diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/expected.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/expected.yaml new file mode 100644 index 00000000..1cd4cc6c --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/expected.yaml @@ -0,0 +1,61 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: gcp + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: cert-manager@my-project.iam.gserviceaccount.com + external-dns: + enabled: true + settings: + infraProvider: gcp + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: external-dns@my-project.iam.gserviceaccount.com + gcp: + args: + project: my-project + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-gcp + domains: + - educates.example.com + acme: + gcp: + project: my-project + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_STAY diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/values.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/values.yaml new file mode 100644 index 00000000..e04ce4ee --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/values.yaml @@ -0,0 +1,21 @@ +clusterInfrastructure: + provider: "gke" + gcp: + project: "my-project" + cloudDNS: + zone: "example.com" + workloadIdentity: + external-dns: "external-dns@my-project.iam.gserviceaccount.com" + cert-manager: "cert-manager@my-project.iam.gserviceaccount.com" +clusterPackages: + educates: + settings: + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_STAY +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/expected.yaml index c2c4dbb3..27d97363 100644 --- a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/expected.yaml +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/expected.yaml @@ -28,10 +28,4 @@ clusterPackages: settings: {} educates: enabled: false - settings: - clusterIngress: - domain: educates.example.com - clusterSecurity: - policyEngine: kyverno - workshopSecurity: - rulesEngine: kyverno + settings: {} diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/description.md new file mode 100644 index 00000000..464762cf --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/description.md @@ -0,0 +1,2 @@ +kind using provided domain with http and kyverno clusterSecurityEngine +With lookupService enabled \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/expected.yaml new file mode 100644 index 00000000..4f7203c5 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/expected.yaml @@ -0,0 +1,39 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/values.yaml new file mode 100644 index 00000000..558cfb22 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/values.yaml @@ -0,0 +1,9 @@ +--- +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/description.md new file mode 100644 index 00000000..0b89d1d8 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/description.md @@ -0,0 +1,2 @@ +kind using provided domain with http and kyverno clusterSecurityEngine +With lookupService enabled with clusterPackages providing alternate ingressPrefix that should remain \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/expected.yaml new file mode 100644 index 00000000..56d82dc1 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/expected.yaml @@ -0,0 +1,40 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_REMAIN diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/values.yaml new file mode 100644 index 00000000..5f2f3b7c --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/values.yaml @@ -0,0 +1,14 @@ +--- +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true +clusterPackages: + educates: + settings: + lookupService: + ingressPrefix: THIS_SHOULD_REMAIN diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/description.md new file mode 100644 index 00000000..2fcadff1 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/description.md @@ -0,0 +1,3 @@ +kind using provided domain with http and kyverno clusterSecurityEngine +With lookupService enabled with ingressPrefix +and clusterPackages providing alternate ingressPrefix that should not prevail \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/expected.yaml new file mode 100644 index 00000000..56d82dc1 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/expected.yaml @@ -0,0 +1,40 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_REMAIN diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/values.yaml new file mode 100644 index 00000000..84b3257d --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/values.yaml @@ -0,0 +1,15 @@ +--- +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_REMAIN +clusterPackages: + educates: + settings: + lookupService: + ingressPrefix: THIS_SHOULD_NOT diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/expected.yaml index 86eb65c8..a418e5ed 100644 --- a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/expected.yaml +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/expected.yaml @@ -28,10 +28,4 @@ clusterPackages: settings: {} educates: enabled: false - settings: - clusterIngress: - domain: educates.example.com - clusterSecurity: - policyEngine: kyverno - workshopSecurity: - rulesEngine: kyverno + settings: {} diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/expected.yaml index 1d58aa28..a418e5ed 100644 --- a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/expected.yaml +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/expected.yaml @@ -28,10 +28,4 @@ clusterPackages: settings: {} educates: enabled: false - settings: - clusterIngress: - domain: educates.example.com - clusterSecurity: - policyEngine: none - workshopSecurity: - rulesEngine: kyverno + settings: {} diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/expected.yaml index 6aa5c27a..a418e5ed 100644 --- a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/expected.yaml +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/expected.yaml @@ -28,19 +28,4 @@ clusterPackages: settings: {} educates: enabled: false - settings: - clusterIngress: - domain: educates.example.com - tlsCertificate: - tls.crt: | - -----BEGIN CERTIFICATE----- - "TLS_CRT" - -----END CERTIFICATE----- - tls.key: | - -----BEGIN CERTIFICATE----- - "TLS_KEY" - -----END CERTIFICATE----- - clusterSecurity: - policyEngine: none - workshopSecurity: - rulesEngine: kyverno + settings: {} diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/expected.yaml index da4e4123..27d97363 100644 --- a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/expected.yaml +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/expected.yaml @@ -28,19 +28,4 @@ clusterPackages: settings: {} educates: enabled: false - settings: - clusterIngress: - domain: educates.example.com - tlsCertificate: - tls.crt: | - -----BEGIN CERTIFICATE----- - "TLS_CRT" - -----END CERTIFICATE----- - tls.key: | - -----BEGIN CERTIFICATE----- - "TLS_KEY" - -----END CERTIFICATE----- - clusterSecurity: - policyEngine: kyverno - workshopSecurity: - rulesEngine: kyverno + settings: {} diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/description.md new file mode 100644 index 00000000..b1fa96a4 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/description.md @@ -0,0 +1,2 @@ +kind with educates mixture of top-level values and clusterPackage values. +Top level values are the ones to remain in case both are provided diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/expected.yaml new file mode 100644 index 00000000..de47fb62 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/expected.yaml @@ -0,0 +1,40 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: THIS.domain.should.remain + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_REMAIN diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/values.yaml new file mode 100644 index 00000000..479eadea --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/values.yaml @@ -0,0 +1,16 @@ +clusterInfrastructure: + provider: "kind" +clusterPackages: + educates: + enabled: true + settings: + clusterIngress: + domain: "educates.example.com" + lookupService: + enabled: false + ingressPrefix: "THIS_SHOULD_GO_AWAY" +clusterIngress: + domain: "THIS.domain.should.remain" +lookupService: + enabled: true + ingressPrefix: "THIS_SHOULD_REMAIN" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/description.md index ddde589f..60a69097 100644 --- a/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/description.md +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/description.md @@ -1,2 +1,2 @@ -kind using customized contour config en kapp-controller enabled +kind using customized contour config and kapp-controller enabled (Contour config would be defaulted and provided will not be used) diff --git a/carvel-packages/installer/scenarios/test-scenarios.sh b/carvel-packages/installer/scenarios/test-scenarios.sh index 384038d0..4f503019 100755 --- a/carvel-packages/installer/scenarios/test-scenarios.sh +++ b/carvel-packages/installer/scenarios/test-scenarios.sh @@ -9,6 +9,15 @@ while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symli done DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" +# Make a test to verify yq command is accesible and can be run or else fail with a message to install it +yq --version >/dev/null 2>&1 +result=$? +if [[ "$result" -ne 0 ]] +then + echo "yq command not found. Please install it from https://github.com/mikefarah/yq/releases" + exit 1 +fi + # # Colors for echo # @@ -76,8 +85,8 @@ function test { echo "===" cat description.md echo "===" - RESULT_VALUES=$(ytt --data-values-file values.yaml -f ${DIR}/../bundle/config/ytt --data-value-yaml debug=true | yq) - diff <(echo "$RESULT_VALUES") <(cat expected.yaml | yq) + RESULT_VALUES=$(ytt --data-values-file values.yaml -f ${DIR}/../bundle/config/ytt --data-value-yaml debug=true | yq -P 'sort_keys(..)') + diff <(echo "$RESULT_VALUES") <(cat expected.yaml | yq -P 'sort_keys(..)') result=$? [[ "$result" -eq 0 ]] && echo "Result Diff Values/Expected: OK" || echo -e "Result Diff Values/Expected: ${RED}NO OK${NC}" ytt --data-values-file values.yaml -f ${DIR}/../bundle/config/ytt --data-value-yaml debug=false >/dev/null 2>&1 @@ -104,7 +113,7 @@ function debug { echo "===" RESULT_VALUES=$(ytt --data-values-file values.yaml -f ${DIR}/../bundle/config/ytt --data-value-yaml debug=true) result=$? - echo "$RESULT_VALUES" | yq + echo "$RESULT_VALUES" | yq -P 'sort_keys(..)' [[ "$result" -eq 0 ]] || echo -e "${RED}Error processing ytt template${NC}" popd >/dev/null 2>&1 @@ -138,4 +147,3 @@ do done # this last one is because it's not doing the for loop when there's no arguments test "*" - From 0992e3a842f518eb2f1d71b1e416176c83d3216f Mon Sep 17 00:00:00 2001 From: Graham Dumpleton Date: Thu, 8 Aug 2024 11:10:33 +1000 Subject: [PATCH 07/11] Fix up RBAC for lookup service. --- .../upstream/clusterrolebindings.yaml | 2 +- .../lookup-service/upstream/clusterroles.yaml | 49 ++++++++++++++++- .../lookup-service/upstream/rolebindings.yaml | 14 ----- .../lookup-service/upstream/roles.yaml | 53 ------------------- 4 files changed, 49 insertions(+), 69 deletions(-) delete mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/rolebindings.yaml delete mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/roles.yaml diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml index 6b2a97f8..103ac292 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml @@ -25,4 +25,4 @@ roleRef: subjects: - kind: ServiceAccount name: remote-access - namespace: educates-config + namespace: educates diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml index 192739a7..1c54adde 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml @@ -15,7 +15,17 @@ rules: - get - list - watch - #! We need the ability to watch for namespace changes. + #! We need the ability to create events in the application namespace so kopf + #! can log events. + - apiGroups: + - "" + resources: + - events + verbs: + - create + + #! We need the ability to watch for namespace changes. Also believe this is + #! required by kopf. - apiGroups: - "" resources: @@ -24,6 +34,43 @@ rules: - get - list - watch + #! We need read/write access to the ClusterConfig, ClientConfig and + #! TenantConfig custom resources from the lookup.educates.dev API group. + - apiGroups: + - lookup.educates.dev + resources: + - clusterconfigs + - clientconfigs + - tenantconfigs + verbs: + - get + - list + - watch + - patch + - update + #! We need update access to the finalizers of the ClusterConfig, ClientConfig + #! and TenantConfig custom resources from the lookup.educates.dev API group so + #! kopf can track deletion. + - apiGroups: + - lookup.educates.dev + resources: + - clusterconfigs/finalizers + - clientconfigs/finalizers + - tenantconfigs/finalizers + verbs: + - update + #! We need read access to the secrets in the application namespace, so we can + #! read the kubeconfig for the managed cluster. This is done as cluster role + #! rather than role against a namespace, as the actual namespace name is + #! configurable and not fixed. + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch --- #! Cluster role for the remote access clients. apiVersion: rbac.authorization.k8s.io/v1 diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/rolebindings.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/rolebindings.yaml deleted file mode 100644 index 96ea7756..00000000 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/rolebindings.yaml +++ /dev/null @@ -1,14 +0,0 @@ -#! Role bindings for the lookup service. -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: lookup-service - namespace: educates -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: lookup-service -subjects: -- kind: ServiceAccount - name: lookup-service - namespace: educates diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/roles.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/roles.yaml deleted file mode 100644 index b443685b..00000000 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/roles.yaml +++ /dev/null @@ -1,53 +0,0 @@ -#! Role for the lookup service application. -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: lookup-service - namespace: educates -rules: - #! We need read/write access to the ClusterConfig, ManagedCluster, - #! ClientConfig and TenantConfig custom resources from the - #! lookup.educates.dev API group. - - apiGroups: - - lookup.educates.dev - resources: - - clusterconfigs - - managedclusters - - clientconfigs - - tenantconfigs - verbs: - - get - - list - - watch - - patch - - update - #! We need update access to the finalizers of the ClusterConfig, - #! ManagedCluster, ClientConfig and TenantConfig custom resources from the - #! lookup.educates.dev API group so kopf can track deletion. - - apiGroups: - - lookup.educates.dev - resources: - - clusterconfigs/finalizers - - managedclusters/finalizers - - clientconfigs/finalizers - - tenantconfigs/finalizers - verbs: - - update - #! We need read access to the secrets in the application namespace, so we can - #! read the kubeconfig for the managed cluster. - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - #! We need the ability to create events in the application namespace so kopf - #! can log events. - - apiGroups: - - "" - resources: - - events - verbs: - - create From 2cb42e67a0d35ae01358466062c5ec14a3e12b30 Mon Sep 17 00:00:00 2001 From: Graham Dumpleton Date: Thu, 8 Aug 2024 17:54:42 +1000 Subject: [PATCH 08/11] Need calculated ingress secret name for lookup service ingress. --- .../lookup-service/overlays.yaml/overlay-ingress.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml index a92855e5..f8b4c3ec 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml @@ -1,6 +1,14 @@ #@ load("@ytt:overlay", "overlay") #@ load("@ytt:data", "data") +#@ if (hasattr(data.values.clusterIngress, "clusterIssuer") and data.values.clusterIngress.clusterIssuer != None): +#@ ingress_secret = "wildcard" +#@ elif data.values.clusterIngress.tlsCertificateRef.name != None: +#@ ingress_secret = data.values.clusterIngress.tlsCertificateRef.name +#@ else: +#@ ingress_secret = "{}-tls".format(data.values.clusterIngress.domain) +#@ end + #@overlay/match by=overlay.subset({"kind":"Ingress"}) --- #@ if/end hasattr(data.values.clusterIngress, "clusterIssuer") and data.values.clusterIngress.clusterIssuer != None: @@ -18,4 +26,4 @@ spec: tls: - hosts: - #@ "{}.{}".format(data.values.lookupService.ingressPrefix, data.values.clusterIngress.domain) - secretName: wildcard \ No newline at end of file + secretName: #@ ingress_secret From 0c9f9e3ec27f75585fc8ce1aa2ccf7c4daf0381e Mon Sep 17 00:00:00 2001 From: Jorge Morales Pou Date: Thu, 8 Aug 2024 10:20:50 +0200 Subject: [PATCH 09/11] Fixed carvel publish action --- .github/workflows/build-and-publish-images.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build-and-publish-images.yaml b/.github/workflows/build-and-publish-images.yaml index a2e008fe..eefba755 100644 --- a/.github/workflows/build-and-publish-images.yaml +++ b/.github/workflows/build-and-publish-images.yaml @@ -521,6 +521,7 @@ jobs: infraProvider: custom cert-manager: enabled: true + settings: {} external-dns: enabled: true settings: @@ -541,6 +542,7 @@ jobs: ca.key: "BB" kyverno: enabled: true + settings: {} educates: enabled: true settings: @@ -550,6 +552,8 @@ jobs: host: "ghcr.io" namespace: ${{env.REPOSITORY_OWNER}} version: ${{env.REPOSITORY_TAG}} + lookupService: + enabled: true EOF - name: Publish educates-installer bundle From 13161e004f7785bf04cfb26fcc89fdfde8ce8d94 Mon Sep 17 00:00:00 2001 From: Jorge Morales Pou Date: Thu, 8 Aug 2024 10:24:52 +0200 Subject: [PATCH 10/11] Removed unneeded vendir reference --- vendir.lock.yml | 6 ------ vendir.yml | 9 --------- 2 files changed, 15 deletions(-) diff --git a/vendir.lock.yml b/vendir.lock.yml index d30c54a4..4831066a 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -60,10 +60,4 @@ directories: url: https://api.github.com/repos/carvel-dev/kapp-controller/releases/155438864 path: . path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kapp-controller/upstream -# - contents: -# - git: -# commitTitle: Changes related to new lookup service. -# sha: bd0b8588767f8664eccb22f7e2502f8f529990d5 -# path: . -# path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream kind: LockConfig diff --git a/vendir.yml b/vendir.yml index 8cdf4f58..08976d1f 100644 --- a/vendir.yml +++ b/vendir.yml @@ -114,12 +114,3 @@ directories: disableAutoChecksumValidation: true includePaths: - release.yml - # - path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream - # contents: - # - path: "." - # git: - # url: https://github.com/GrahamDumpleton/lab-platform-operator - # ref: origin/main - # includePaths: - # - exercises/resources-v2/*.yaml - # newRootPath: exercises/resources-v2 \ No newline at end of file From 4e75876983162e58b8e622919ccf3ce025b53c92 Mon Sep 17 00:00:00 2001 From: Jorge Morales Pou Date: Thu, 8 Aug 2024 12:06:54 +0200 Subject: [PATCH 11/11] Simplified lookup service subpackage and overlay --- .../_ytt_lib/packages/educates/08-lookup.yaml | 21 ++++++++++++++- .../_ytt_lib/lookup-service/00-package.star | 26 +++++++++---------- .../overlays.yaml/overlay-image.yaml | 6 ++--- .../overlays.yaml/overlay-ingress.yaml | 22 +++------------- .../educates/_ytt_lib/values-schema.yaml | 8 ++++++ .../installer/bundle/config/ytt/config.yaml | 3 +++ .../bundle/config/ytt/values-schema.yaml | 4 +-- 7 files changed, 52 insertions(+), 38 deletions(-) create mode 100644 carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/values-schema.yaml diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml index fe5f0908..7c436695 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml @@ -1,7 +1,26 @@ #@ load("@ytt:data", "data") #@ load("@ytt:library", "library") #@ load("@ytt:template", "template") +#@ load("/00-package.star", "image_reference", "image_pull_policy") + +#@ ingress_certificate = getattr(data.values.clusterIngress.tlsCertificate, "tls.crt") +#@ ingress_private_key = getattr(data.values.clusterIngress.tlsCertificate, "tls.key") +#@ image = image_reference("lookup-service") + +#@ if data.values.clusterIngress.tlsCertificateRef.name != None: +#@ ingress_secret = data.values.clusterIngress.tlsCertificateRef.name +#@ elif (ingress_certificate and ingress_private_key): +#@ ingress_secret = "{}-tls".format(data.values.clusterIngress.domain) +#@ end + + +#@ def lookup_service_values(): +tld: #@ "{}.{}".format(data.values.lookupService.ingressPrefix, data.values.clusterIngress.domain) +certName: #@ ingress_secret +image: #@ image +imagePullPolicy: #@ image_pull_policy(image) +#@ end #@ if data.values.lookupService.enabled: ---- #@ template.replace(library.get("lookup-service").with_data_values(data.values, plain=True).eval()) +--- #@ template.replace(library.get("lookup-service").with_data_values(lookup_service_values(), plain=True).eval()) #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/00-package.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/00-package.star index a449d45d..43f7bc24 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/00-package.star +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/00-package.star @@ -40,16 +40,16 @@ def image_pull_policy(image): return always and "Always" or "IfNotPresent" end -def image_pull_secrets(): - return [item["name"] for item in data.values.clusterSecrets.pullSecretRefs] -end - -def docker_config_json(host, username, password): - return json.encode({ - "auths": { - host: { - "auth": base64.encode("{}:{}".format(username, password)) - } - } - }) -end +#! def image_pull_secrets(): +#! return [item["name"] for item in data.values.clusterSecrets.pullSecretRefs] +#! end +#! +#! def docker_config_json(host, username, password): +#! return json.encode({ +#! "auths": { +#! host: { +#! "auth": base64.encode("{}:{}".format(username, password)) +#! } +#! } +#! }) +#! end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-image.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-image.yaml index bbfbdfc2..9b8d0c70 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-image.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-image.yaml @@ -1,6 +1,5 @@ #@ load("@ytt:overlay", "overlay") #@ load("@ytt:data", "data") -#@ load("/00-package.star", "image_reference", "image_pull_policy") #@overlay/match by=overlay.subset({"kind":"Deployment"}) --- @@ -10,6 +9,5 @@ spec: containers: #@overlay/match by="name" - name: lookup-service - #@ image = image_reference("lookup-service") - image: #@ image - imagePullPolicy: #@ image_pull_policy(image) \ No newline at end of file + image: #@ data.values.image + imagePullPolicy: #@ data.values.imagePullPolicy \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml index f8b4c3ec..95fd0599 100644 --- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml @@ -1,29 +1,15 @@ #@ load("@ytt:overlay", "overlay") #@ load("@ytt:data", "data") -#@ if (hasattr(data.values.clusterIngress, "clusterIssuer") and data.values.clusterIngress.clusterIssuer != None): -#@ ingress_secret = "wildcard" -#@ elif data.values.clusterIngress.tlsCertificateRef.name != None: -#@ ingress_secret = data.values.clusterIngress.tlsCertificateRef.name -#@ else: -#@ ingress_secret = "{}-tls".format(data.values.clusterIngress.domain) -#@ end - #@overlay/match by=overlay.subset({"kind":"Ingress"}) --- -#@ if/end hasattr(data.values.clusterIngress, "clusterIssuer") and data.values.clusterIngress.clusterIssuer != None: -metadata: - #@overlay/match missing_ok=True - annotations: - #@overlay/match missing_ok=True - cert-manager.io/cluster-issuer: #@ data.values.clusterIngress.clusterIssuer spec: rules: #@overlay/match by=overlay.index(0) - - host: #@ "{}.{}".format(data.values.lookupService.ingressPrefix, data.values.clusterIngress.domain) + - host: #@ data.values.tld #@overlay/match missing_ok=True - #@ if/end (hasattr(data.values.clusterIngress, "clusterIssuer") and data.values.clusterIngress.clusterIssuer != None) or (data.values.clusterIngress.tlsCertificateRef.name != None): + #@ if/end data.values.certName != None: tls: - hosts: - - #@ "{}.{}".format(data.values.lookupService.ingressPrefix, data.values.clusterIngress.domain) - secretName: #@ ingress_secret + - #@ data.values.tld + secretName: #@ data.values.certName diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/values-schema.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/values-schema.yaml new file mode 100644 index 00000000..80465d38 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/values-schema.yaml @@ -0,0 +1,8 @@ +#@data/values-schema +--- +#! Ingress +tld: "" +certName: "" +#! Images +image: "" +imagePullPolicy: "" diff --git a/carvel-packages/installer/bundle/config/ytt/config.yaml b/carvel-packages/installer/bundle/config/ytt/config.yaml index 22915883..6e5aba88 100644 --- a/carvel-packages/installer/bundle/config/ytt/config.yaml +++ b/carvel-packages/installer/bundle/config/ytt/config.yaml @@ -27,6 +27,9 @@ #@ for overlayToApply in getOverlaysFromLibrary(): #@ overlayedValues = struct.encode(yaml.decode(yaml.encode(overlay.apply(overlayedValues, overlayToApply)))) #@ end + +#! TODO: Here would be nice to calculate all the certificate specifics and then pass them to the overlayedValues + #@ if data.values.debug: --- #@ overlayedValues #@ else: diff --git a/carvel-packages/installer/bundle/config/ytt/values-schema.yaml b/carvel-packages/installer/bundle/config/ytt/values-schema.yaml index 7b00af0c..1416df17 100644 --- a/carvel-packages/installer/bundle/config/ytt/values-schema.yaml +++ b/carvel-packages/installer/bundle/config/ytt/values-schema.yaml @@ -107,8 +107,8 @@ clusterInfrastructure: #@schema/example "cert-manager@my-project.iam.gserviceaccount.com" #@schema/validation ("workloadIdentity for cert-manager is required for gcp based providers",lambda v: len(v) >= 1) cert-manager: "" - #@schema/title "Additional CA Certificate" - #@schema/desc "Additional CA Certificates to inject to the cluster. Currently only supported when provider is set to kind" + #@schema/title "CA Certificate" + #@schema/desc "CA Certificates to inject to the cluster. When provider is set to kind it'll configure cert-manager to generate certs. CA Issuers must be configured with a certificate (tls.crt) and private key (tls.key) stored in the Kubernetes secret" #@schema/nullable caCertificateRef: #@schema/validation min_len=1