|
559 | 559 | "x-kubernetes-map-type": "atomic" |
560 | 560 | }, |
561 | 561 | "io.k8s.api.admissionregistration.v1alpha1.ParamRef": { |
562 | | - "description": "ParamRef references a parameter resource", |
| 562 | + "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", |
563 | 563 | "properties": { |
564 | 564 | "name": { |
565 | | - "description": "Name of the resource being referenced.", |
| 565 | + "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", |
566 | 566 | "type": "string" |
567 | 567 | }, |
568 | 568 | "namespace": { |
569 | | - "description": "Namespace of the referenced resource. Should be empty for the cluster-scoped resources", |
| 569 | + "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", |
570 | 570 | "type": "string" |
| 571 | + }, |
| 572 | + "parameterNotFoundAction": { |
| 573 | + "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", |
| 574 | + "type": "string" |
| 575 | + }, |
| 576 | + "selector": { |
| 577 | + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", |
| 578 | + "description": "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset." |
571 | 579 | } |
572 | 580 | }, |
573 | 581 | "type": "object", |
|
624 | 632 | ] |
625 | 633 | }, |
626 | 634 | "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding": { |
627 | | - "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.", |
| 635 | + "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", |
628 | 636 | "properties": { |
629 | 637 | "apiVersion": { |
630 | 638 | "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", |
|
699 | 707 | }, |
700 | 708 | "paramRef": { |
701 | 709 | "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef", |
702 | | - "description": "ParamRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied." |
| 710 | + "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." |
703 | 711 | }, |
704 | 712 | "policyName": { |
705 | 713 | "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", |
|
3902 | 3910 | "$ref": "#/definitions/io.k8s.api.batch.v1.PodFailurePolicy", |
3903 | 3911 | "description": "Specifies the policy of handling failed pods. In particular, it allows to specify the set of actions and conditions which need to be satisfied to take the associated action. If empty, the default behaviour applies - the counter of failed pods, represented by the jobs's .status.failed field, is incremented and it is checked against the backoffLimit. This field cannot be used in combination with restartPolicy=OnFailure.\n\nThis field is beta-level. It can be used when the `JobPodFailurePolicy` feature gate is enabled (enabled by default)." |
3904 | 3912 | }, |
| 3913 | + "podReplacementPolicy": { |
| 3914 | + "description": "podReplacementPolicy specifies when to create replacement Pods. Possible values are: - TerminatingOrFailed means that we recreate pods\n when they are terminating (has a metadata.deletionTimestamp) or failed.\n- Failed means to wait until a previously created Pod is fully terminated (has phase\n Failed or Succeeded) before creating a replacement Pod.\n\nWhen using podFailurePolicy, Failed is the the only allowed value. TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use. This is an alpha field. Enable JobPodReplacementPolicy to be able to use this field.", |
| 3915 | + "type": "string" |
| 3916 | + }, |
3905 | 3917 | "selector": { |
3906 | 3918 | "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", |
3907 | 3919 | "description": "A label query over pods that should match the pod count. Normally, the system sets this field for you. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors" |
|
3974 | 3986 | "format": "int32", |
3975 | 3987 | "type": "integer" |
3976 | 3988 | }, |
| 3989 | + "terminating": { |
| 3990 | + "description": "The number of pods which are terminating (in phase Pending or Running and have a deletionTimestamp).\n\nThis field is alpha-level. The job controller populates the field when the feature gate JobPodReplacementPolicy is enabled (disabled by default).", |
| 3991 | + "format": "int32", |
| 3992 | + "type": "integer" |
| 3993 | + }, |
3977 | 3994 | "uncountedTerminatedPods": { |
3978 | 3995 | "$ref": "#/definitions/io.k8s.api.batch.v1.UncountedTerminatedPods", |
3979 | 3996 | "description": "uncountedTerminatedPods holds the UIDs of Pods that have terminated but the job controller hasn't yet accounted for in the status counters.\n\nThe job controller creates pods with a finalizer. When a pod terminates (succeeded or failed), the controller does three steps to account for it in the job status:\n\n1. Add the pod UID to the arrays in this field. 2. Remove the pod finalizer. 3. Remove the pod UID from the arrays while increasing the corresponding\n counter.\n\nOld jobs might not be tracked using this field, in which case the field remains null." |
|
0 commit comments