Skip to content

CRD-docs-for-docs-repo.md

Latest commit

 

History

History
878 lines (436 loc) · 55.9 KB

CRD-docs-for-docs-repo.md

File metadata and controls

878 lines (436 loc) · 55.9 KB

API Reference

Packages

policies.kubewarden.io/v1

Package v1 contains API Schema definitions for the policies v1 API group

Resource Types

AdmissionPolicy

AdmissionPolicy is the Schema for the admissionpolicies API

Appears in:

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1
kind string AdmissionPolicy
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec AdmissionPolicySpec

AdmissionPolicyGroup

AdmissionPolicyGroup is the Schema for the AdmissionPolicyGroups API

Appears in:

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1
kind string AdmissionPolicyGroup
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec AdmissionPolicyGroupSpec

AdmissionPolicyGroupList

AdmissionPolicyGroupList contains a list of AdmissionPolicyGroup.

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1
kind string AdmissionPolicyGroupList
metadata ListMeta Refer to Kubernetes API documentation for fields of metadata.
items AdmissionPolicyGroup array

AdmissionPolicyGroupSpec

AdmissionPolicyGroupSpec defines the desired state of AdmissionPolicyGroup.

Appears in:

Field Description Default Validation
PolicyGroupSpec PolicyGroupSpec

AdmissionPolicyList

AdmissionPolicyList contains a list of AdmissionPolicy.

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1
kind string AdmissionPolicyList
metadata ListMeta Refer to Kubernetes API documentation for fields of metadata.
items AdmissionPolicy array

AdmissionPolicySpec

AdmissionPolicySpec defines the desired state of AdmissionPolicy.

Appears in:

Field Description Default Validation
PolicySpec PolicySpec

ClusterAdmissionPolicy

ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies API

Appears in:

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1
kind string ClusterAdmissionPolicy
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec ClusterAdmissionPolicySpec

ClusterAdmissionPolicyGroup

ClusterAdmissionPolicyGroup is the Schema for the clusteradmissionpolicies API

Appears in:

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1
kind string ClusterAdmissionPolicyGroup
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec ClusterAdmissionPolicyGroupSpec

ClusterAdmissionPolicyGroupList

ClusterAdmissionPolicyGroupList contains a list of ClusterAdmissionPolicyGroup

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1
kind string ClusterAdmissionPolicyGroupList
metadata ListMeta Refer to Kubernetes API documentation for fields of metadata.
items ClusterAdmissionPolicyGroup array

ClusterAdmissionPolicyGroupSpec

ClusterAdmissionPolicyGroupSpec defines the desired state of ClusterAdmissionPolicyGroup.

Appears in:

Field Description Default Validation
ClusterPolicyGroupSpec ClusterPolicyGroupSpec
namespaceSelector LabelSelector NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.



For example, to run the webhook on any objects whose namespace is not
associated with "runlevel" of "0" or "1"; you will set the selector as
follows:

"namespaceSelector": {

  "matchExpressions": [

    {

      "key": "runlevel",

      "operator": "NotIn",

      "values": [

        "0",

        "1"

      ]

    }

  ]

}

If instead you want to only run the webhook on any objects whose
namespace is associated with the "environment" of "prod" or "staging";
you will set the selector as follows:

"namespaceSelector": {

  "matchExpressions": [

    {

      "key": "environment",

      "operator": "In",

      "values": [

        "prod",

        "staging"

      ]

    }

  ]

}

See
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors.



Default to the empty LabelSelector, which matches everything.		 Optional: {}
allowInsideAdmissionControllerNamespace boolean AllowInsideAdmissionControllerNamespace controls whether the policy should also be
evaluated for resources in the namespace where Kubewarden is deployed.
By default (false), an exclusion rule is added to the webhook so that the
Kubewarden namespace is never targeted, protecting against an accidental
lockout. Set this to true only if you deliberately want the policy to apply
inside the Kubewarden namespace.
Warning: setting this to true may cause a deadlock if the policy prevents
Kubewarden components from starting.		 Optional: {}

ClusterAdmissionPolicyList

ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1
kind string ClusterAdmissionPolicyList
metadata ListMeta Refer to Kubernetes API documentation for fields of metadata.
items ClusterAdmissionPolicy array

ClusterAdmissionPolicySpec

ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy.

Appears in:

Field Description Default Validation
PolicySpec PolicySpec
namespaceSelector LabelSelector NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.



For example, to run the webhook on any objects whose namespace is not
associated with "runlevel" of "0" or "1"; you will set the selector as
follows:

"namespaceSelector": {

  "matchExpressions": [

    {

      "key": "runlevel",

      "operator": "NotIn",

      "values": [

        "0",

        "1"

      ]

    }

  ]

}

If instead you want to only run the webhook on any objects whose
namespace is associated with the "environment" of "prod" or "staging";
you will set the selector as follows:

"namespaceSelector": {

  "matchExpressions": [

    {

      "key": "environment",

      "operator": "In",

      "values": [

        "prod",

        "staging"

      ]

    }

  ]

}

See
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors.



Default to the empty LabelSelector, which matches everything.		 Optional: {}
contextAwareResources ContextAwareResource array List of Kubernetes resources the policy is allowed to access at evaluation time.
Access to these resources is done using the ServiceAccount of the PolicyServer
the policy is assigned to.		 Optional: {}
allowInsideAdmissionControllerNamespace boolean AllowInsideAdmissionControllerNamespace controls whether the policy should also be
evaluated for resources in the namespace where Kubewarden is deployed.
By default (false), an exclusion rule is added to the webhook so that the
Kubewarden namespace is never targeted, protecting against an accidental
lockout. Set this to true only if you deliberately want the policy to apply
inside the Kubewarden namespace.
Warning: setting this to true may cause a deadlock if the policy prevents
Kubewarden components from starting.		 Optional: {}

ClusterPolicyGroupSpec

Appears in:

Field Description Default Validation
GroupSpec GroupSpec
policies PolicyGroupMembersWithContext Policies is a list of policies that are part of the group that will
be available to be called in the evaluation expression field.
Each policy in the group should be a Kubewarden policy.		 Required: {}

ContextAwareResource

ContextAwareResource identifies a Kubernetes resource.

Appears in:

Field Description Default Validation
apiVersion string apiVersion of the resource (v1 for core group, groupName/groupVersions for other).
kind string Singular PascalCase name of the resource

GroupSpec

Appears in:

Field Description Default Validation
policyServer string PolicyServer identifies an existing PolicyServer resource. default Optional: {}
mode PolicyMode Mode defines the execution mode of this policy. Can be set to
either "protect" or "monitor". If it's empty, it is defaulted to
"protect".
Transitioning this setting from "monitor" to "protect" is
allowed, but is disallowed to transition from "protect" to
"monitor". To perform this transition, the policy should be
recreated in "monitor" mode instead.		 protect Enum: [protect monitor]
Optional: {}
rules RuleWithOperations array Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
failurePolicy FailurePolicyType FailurePolicy defines how unrecognized errors and timeout errors from the
policy are handled. Allowed values are "Ignore" or "Fail".
* "Ignore" means that an error calling the webhook is ignored and the API
request is allowed to continue.
* "Fail" means that an error calling the webhook causes the admission to
fail and the API request to be rejected.
The default behaviour is "Fail"		 Optional: {}
backgroundAudit boolean BackgroundAudit indicates whether a policy should be used or skipped when
performing audit checks. If false, the policy cannot produce meaningful
evaluation results during audit checks and will be skipped.
The default is "true".		 true Optional: {}
matchPolicy MatchPolicyType matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".


  • Exact: match a request only if it exactly matches a specified rule.
    For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
    but "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
    a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.


  • Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
    For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
    and "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
    a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.


Defaults to "Equivalent"		 Optional: {}
matchConditions MatchCondition array MatchConditions are a list of conditions that must be met for a request to be
validated. Match conditions filter requests that have already been matched by
the rules, namespaceSelector, and objectSelector. An empty list of
matchConditions matches all requests. There are a maximum of 64 match
conditions allowed. If a parameter object is provided, it can be accessed via
the params handle in the same manner as validation expressions. The exact
matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
is evaluated. 3. If any matchCondition evaluates to an error (but none are
FALSE): - If failurePolicy=Fail, reject the request - If
failurePolicy=Ignore, the policy is skipped.
Only available if the feature gate AdmissionWebhookMatchConditions is enabled.		 Optional: {}
objectSelector LabelSelector ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector. A null
object (oldObject in the case of create, or newObject in the case of
delete) or an object that cannot have labels (like a
DeploymentRollback or a PodProxyOptions object) is not considered to
match.
Use the object selector only if the webhook is opt-in, because end
users may skip the admission webhook by setting the labels.
Default to the empty LabelSelector, which matches everything.		 Optional: {}
sideEffects SideEffectClass SideEffects states whether this webhook has side effects.
Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
Webhooks with side effects MUST implement a reconciliation system, since a request may be
rejected by a future step in the admission change and the side effects therefore need to be undone.
Requests with the dryRun attribute will be auto-rejected if they match a webhook with
sideEffects == Unknown or Some.
timeoutSeconds integer TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
the webhook call will be ignored or the API call will fail based on the
failure policy.
The timeout value must be between 2 and 30 seconds.
Default to 10 seconds.		 10 Maximum: 30
Minimum: 2
Optional: {}
expression string Expression is the evaluation expression to accept or reject the
admission request under evaluation. This field uses CEL as the
expression language for the policy groups. Each policy in the group
will be represented as a function call in the expression with the
same name as the policy defined in the group. The expression field
should be a valid CEL expression that evaluates to a boolean value.
If the expression evaluates to true, the group policy will be
considered as accepted, otherwise, it will be considered as
rejected. This expression allows grouping policies calls and perform
logical operations on the results of the policies. See Kubewarden
documentation to learn about all the features available.		 Required: {}
message string Message is used to specify the message that will be returned when
the policy group is rejected. The specific policy results will be
returned in the warning field of the response.		 Required: {}

PolicyGroupMember

Appears in:

Field Description Default Validation
module string Module is the location of the WASM module to be loaded. Can be a
local file (file://), a remote file served by an HTTP server
(http://, https://), or an artifact served by an OCI-compatible
registry (registry://).
If prefix is missing, it will default to registry:// and use that
internally.		 Required: {}
settings RawExtension Settings is a free-form object that contains the policy configuration
values.
x-kubernetes-embedded-resource: false		 Optional: {}
timeoutEvalSeconds integer TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
the timeout passes, the policy evaluation call will fail based on the
failure policy.
The timeout value must be between 2 and 30 seconds.		 Maximum: 30
Minimum: 2
Optional: {}

PolicyGroupMemberWithContext

Appears in:

Field Description Default Validation
PolicyGroupMember PolicyGroupMember
contextAwareResources ContextAwareResource array List of Kubernetes resources the policy is allowed to access at evaluation time.
Access to these resources is done using the ServiceAccount of the PolicyServer
the policy is assigned to.		 Optional: {}

PolicyGroupMembers

Underlying type: map[string]PolicyGroupMember

Appears in:

PolicyGroupMembersWithContext

Underlying type: map[string]PolicyGroupMemberWithContext

Appears in:

PolicyGroupSpec

Appears in:

Field Description Default Validation
GroupSpec GroupSpec
policies PolicyGroupMembers Policies is a list of policies that are part of the group that will
be available to be called in the evaluation expression field.
Each policy in the group should be a Kubewarden policy.		 Required: {}

PolicyMode

Underlying type: string

Validation:

  • Enum: [protect monitor]

Appears in:

PolicyModeStatus

Underlying type: string

Validation:

  • Enum: [protect monitor unknown]

Appears in:

Field Description
protect
monitor
unknown

PolicyServer

PolicyServer is the Schema for the policyservers API.

Appears in:

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1
kind string PolicyServer
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec PolicyServerSpec

PolicyServerList

PolicyServerList contains a list of PolicyServer.

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1
kind string PolicyServerList
metadata ListMeta Refer to Kubernetes API documentation for fields of metadata.
items PolicyServer array

PolicyServerSecurity

PolicyServerSecurity defines securityContext configuration to be used in the Policy Server workload.

Appears in:

Field Description Default Validation
container SecurityContext securityContext definition to be used in the policy server container Optional: {}
pod PodSecurityContext podSecurityContext definition to be used in the policy server Pod Optional: {}

PolicyServerSpec

PolicyServerSpec defines the desired state of PolicyServer.

Appears in:

Field Description Default Validation
image string Docker image name.
replicas integer Replicas is the number of desired replicas.
minAvailable IntOrString Number of policy server replicas that must be still available after the
eviction. The value can be an absolute number or a percentage. Only one of
MinAvailable or Max MaxUnavailable can be set.
maxUnavailable IntOrString Number of policy server replicas that can be unavailable after the
eviction. The value can be an absolute number or a percentage. Only one of
MinAvailable or Max MaxUnavailable can be set.
annotations object (keys:string, values:string) Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata. They are not
queryable and should be preserved when modifying objects.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/		 Optional: {}
labels object (keys:string, values:string) Labels is a map of custom labels to be applied to the Deployment created by the
PolicyServer and to the Pods managed by that Deployment. System labels set by
the controller always take precedence over user-defined labels with the same key.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/		 Optional: {}
env EnvVar array List of environment variables to set in the container. Optional: {}
serviceAccountName string Name of the service account associated with the policy server.
Namespace service account will be used if not specified.		 Optional: {}
imagePullSecret string Name of ImagePullSecret secret in the same namespace, used for pulling
policies from repositories.		 Optional: {}
insecureSources string array List of insecure URIs to policy repositories. The insecureSources
content format corresponds with the contents of the insecure_sources
key in sources.yaml. Reference for sources.yaml is found in the
Kubewarden documentation in the reference section.		 Optional: {}
sourceAuthorities object (keys:string, values:string array) Key value map of registry URIs endpoints to a list of their associated
PEM encoded certificate authorities that have to be used to verify the
certificate used by the endpoint. The sourceAuthorities content format
corresponds with the contents of the source_authorities key in
sources.yaml. Reference for sources.yaml is found in the Kubewarden
documentation in the reference section.		 Optional: {}
verificationConfig string Name of VerificationConfig configmap in the kubewarden namespace (same
namespace as the controller deployment), containing Sigstore verification
configuration. The configuration must be under a key named
verification-config in the ConfigMap.		 Optional: {}
sigstoreTrustConfig string Name of SigstoreTrustConfig configmap in the kubewarden namespace (same
namespace as the controller deployment), containing Sigstore trust
configuration (ClientTrustConfig JSON). The configuration must be under a
key named sigstore-trust-config in the ConfigMap. This is used to configure
a custom Sigstore instance instead of the default public Sigstore infrastructure.
WARNING: This feature requires strict access control. Users with write access
to this ConfigMap can influence policy signature verification.		 Optional: {}
securityContexts PolicyServerSecurity Security configuration to be used in the Policy Server workload.
The field allows different configurations for the pod and containers.
If set for the containers, this configuration will not be used in
containers added by other controllers (e.g. telemetry sidecars)		 Optional: {}
affinity Affinity Affinity rules for the associated Policy Server pods. Optional: {}
limits ResourceList Limits describes the maximum amount of compute resources allowed. Optional: {}
requests ResourceList Requests describes the minimum amount of compute resources required.
If Request is omitted for, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value		 Optional: {}
tolerations Toleration array Tolerations describe the policy server pod's tolerations. It can be
used to ensure that the policy server pod is not scheduled onto a
node with a taint.
priorityClassName string PriorityClassName is the name of the PriorityClass to be used for the
policy server pods. Useful to schedule policy server pods with higher
priority to ensure their availability over other cluster workload
resources.
Note: If the referenced PriorityClass is deleted, existing pods
remain unchanged, but new pods that reference it cannot be created.		 Optional: {}
namespacedPoliciesCapabilities string array NamespacedPoliciesCapabilities lists host capability API calls allowed
for namespaced policies running on this PolicyServer. When not set,
no host capabilities are granted to namespaced policies.
Supported wildcard patterns:
- "": allow all host capabilities
- "category/": allow all capabilities in a category (e.g. "oci/")
- "category/version/": allow all capabilities of a specific version (e.g. "oci/v1/*")
- Specific capability paths (e.g. "oci/v1/verify", "net/v1/dns_lookup_host")		 Optional: {}

PolicySpec

Appears in:

Field Description Default Validation
policyServer string PolicyServer identifies an existing PolicyServer resource. default Optional: {}
mode PolicyMode Mode defines the execution mode of this policy. Can be set to
either "protect" or "monitor". If it's empty, it is defaulted to
"protect".
Transitioning this setting from "monitor" to "protect" is
allowed, but is disallowed to transition from "protect" to
"monitor". To perform this transition, the policy should be
recreated in "monitor" mode instead.		 protect Enum: [protect monitor]
Optional: {}
module string Module is the location of the WASM module to be loaded. Can be a
local file (file://), a remote file served by an HTTP server
(http://, https://), or an artifact served by an OCI-compatible
registry (registry://).
If prefix is missing, it will default to registry:// and use that
internally.		 Required: {}
settings RawExtension Settings is a free-form object that contains the policy configuration
values.
x-kubernetes-embedded-resource: false		 Optional: {}
rules RuleWithOperations array Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
failurePolicy FailurePolicyType FailurePolicy defines how unrecognized errors and timeout errors from the
policy are handled. Allowed values are "Ignore" or "Fail".
* "Ignore" means that an error calling the webhook is ignored and the API
request is allowed to continue.
* "Fail" means that an error calling the webhook causes the admission to
fail and the API request to be rejected.
The default behaviour is "Fail"		 Optional: {}
mutating boolean Mutating indicates whether a policy has the ability to mutate
incoming requests or not.
backgroundAudit boolean BackgroundAudit indicates whether a policy should be used or skipped when
performing audit checks. If false, the policy cannot produce meaningful
evaluation results during audit checks and will be skipped.
The default is "true".		 true Optional: {}
matchPolicy MatchPolicyType matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".


  • Exact: match a request only if it exactly matches a specified rule.
    For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
    but "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
    a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.


  • Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
    For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
    and "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
    a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.


Defaults to "Equivalent"		 Optional: {}
matchConditions MatchCondition array MatchConditions are a list of conditions that must be met for a request to be
validated. Match conditions filter requests that have already been matched by
the rules, namespaceSelector, and objectSelector. An empty list of
matchConditions matches all requests. There are a maximum of 64 match
conditions allowed. If a parameter object is provided, it can be accessed via
the params handle in the same manner as validation expressions. The exact
matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
is evaluated. 3. If any matchCondition evaluates to an error (but none are
FALSE): - If failurePolicy=Fail, reject the request - If
failurePolicy=Ignore, the policy is skipped.
Only available if the feature gate AdmissionWebhookMatchConditions is enabled.		 Optional: {}
objectSelector LabelSelector ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector. A null
object (oldObject in the case of create, or newObject in the case of
delete) or an object that cannot have labels (like a
DeploymentRollback or a PodProxyOptions object) is not considered to
match.
Use the object selector only if the webhook is opt-in, because end
users may skip the admission webhook by setting the labels.
Default to the empty LabelSelector, which matches everything.		 Optional: {}
sideEffects SideEffectClass SideEffects states whether this webhook has side effects.
Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
Webhooks with side effects MUST implement a reconciliation system, since a request may be
rejected by a future step in the admission change and the side effects therefore need to be undone.
Requests with the dryRun attribute will be auto-rejected if they match a webhook with
sideEffects == Unknown or Some.
timeoutSeconds integer TimeoutSeconds specifies the timeout for the policy webhook. After the timeout passes,
the webhook call will be ignored or the API call will fail based on the
failure policy.
The timeout value must be between 2 and 30 seconds.
Default to 10 seconds.		 10 Maximum: 30
Minimum: 2
Optional: {}
timeoutEvalSeconds integer TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
the timeout passes, the policy evaluation call will fail based on the
failure policy.
The timeout value must be between 2 and 30 seconds.		 Maximum: 30
Minimum: 2
Optional: {}
message string Message overrides the rejection message of the policy.
When provided, the policy's rejection message can be found
inside of the .status.details.causes field of the
AdmissionResponse object		 Optional: {}

PolicyStatusEnum

Underlying type: string

Validation:

  • Enum: [unscheduled scheduled pending active]

Appears in:

Field Description
unscheduled PolicyStatusUnscheduled is a transient state that will continue
to scheduled. This is the default state if no policy server is
assigned.
scheduled PolicyStatusScheduled is a transient state that will continue to
pending. This is the default state if a policy server is
assigned.
pending PolicyStatusPending informs that the policy server exists,
we are reconciling all resources.
active PolicyStatusActive informs that the k8s API server should be
forwarding admission review objects to the policy.

policies.kubewarden.io/v1alpha2

Package v1alpha2 contains API Schema definitions for the policies v1alpha2 API group

Resource Types

AdmissionPolicy

AdmissionPolicy is the Schema for the admissionpolicies API

Appears in:

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1alpha2
kind string AdmissionPolicy
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec AdmissionPolicySpec

AdmissionPolicyList

AdmissionPolicyList contains a list of AdmissionPolicy.

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1alpha2
kind string AdmissionPolicyList
metadata ListMeta Refer to Kubernetes API documentation for fields of metadata.
items AdmissionPolicy array

AdmissionPolicySpec

AdmissionPolicySpec defines the desired state of AdmissionPolicy.

Appears in:

Field Description Default Validation
PolicySpec PolicySpec

ClusterAdmissionPolicy

ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies API

Appears in:

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1alpha2
kind string ClusterAdmissionPolicy
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec ClusterAdmissionPolicySpec

ClusterAdmissionPolicyList

ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1alpha2
kind string ClusterAdmissionPolicyList
metadata ListMeta Refer to Kubernetes API documentation for fields of metadata.
items ClusterAdmissionPolicy array

ClusterAdmissionPolicySpec

ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy.

Appears in:

Field Description Default Validation
PolicySpec PolicySpec
namespaceSelector LabelSelector NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.



For example, to run the webhook on any objects whose namespace is not
associated with "runlevel" of "0" or "1"; you will set the selector as
follows:

"namespaceSelector": {

  "matchExpressions": [

    {

      "key": "runlevel",

      "operator": "NotIn",

      "values": [

        "0",

        "1"

      ]

    }

  ]

}

If instead you want to only run the webhook on any objects whose
namespace is associated with the "environment" of "prod" or "staging";
you will set the selector as follows:

"namespaceSelector": {

  "matchExpressions": [

    {

      "key": "environment",

      "operator": "In",

      "values": [

        "prod",

        "staging"

      ]

    }

  ]

}

See
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors.



Default to the empty LabelSelector, which matches everything.		 Optional: {}

PolicyMode

Underlying type: string

Validation:

  • Enum: [protect monitor]

Appears in:

PolicyModeStatus

Underlying type: string

Validation:

  • Enum: [protect monitor unknown]

Appears in:

Field Description
protect
monitor
unknown

PolicyServer

PolicyServer is the Schema for the policyservers API.

Appears in:

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1alpha2
kind string PolicyServer
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec PolicyServerSpec

PolicyServerList

PolicyServerList contains a list of PolicyServer.

Field Description Default Validation
apiVersion string policies.kubewarden.io/v1alpha2
kind string PolicyServerList
metadata ListMeta Refer to Kubernetes API documentation for fields of metadata.
items PolicyServer array

PolicyServerSpec

PolicyServerSpec defines the desired state of PolicyServer.

Appears in:

Field Description Default Validation
image string Docker image name.
replicas integer Replicas is the number of desired replicas.
annotations object (keys:string, values:string) Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata. They are not
queryable and should be preserved when modifying objects.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/		 Optional: {}
env EnvVar array List of environment variables to set in the container. Optional: {}
serviceAccountName string Name of the service account associated with the policy server.
Namespace service account will be used if not specified.		 Optional: {}
imagePullSecret string Name of ImagePullSecret secret in the same namespace, used for pulling
policies from repositories.		 Optional: {}
insecureSources string array List of insecure URIs to policy repositories. The insecureSources
content format corresponds with the contents of the insecure_sources
key in sources.yaml. Reference for sources.yaml is found in the
Kubewarden documentation in the reference section.		 Optional: {}
sourceAuthorities object (keys:string, values:string array) Key value map of registry URIs endpoints to a list of their associated
PEM encoded certificate authorities that have to be used to verify the
certificate used by the endpoint. The sourceAuthorities content format
corresponds with the contents of the source_authorities key in
sources.yaml. Reference for sources.yaml is found in the Kubewarden
documentation in the reference section.		 Optional: {}
verificationConfig string Name of VerificationConfig configmap in the same namespace, containing
Sigstore verification configuration. The configuration must be under a
key named verification-config in the Configmap.		 Optional: {}

PolicySpec

Appears in:

Field Description Default Validation
policyServer string PolicyServer identifies an existing PolicyServer resource. default Optional: {}
module string Module is the location of the WASM module to be loaded. Can be a
local file (file://), a remote file served by an HTTP server
(http://, https://), or an artifact served by an OCI-compatible
registry (registry://).		 Required: {}
mode PolicyMode Mode defines the execution mode of this policy. Can be set to
either "protect" or "monitor". If it's empty, it is defaulted to
"protect".
Transitioning this setting from "monitor" to "protect" is
allowed, but is disallowed to transition from "protect" to
"monitor". To perform this transition, the policy should be
recreated in "monitor" mode instead.		 protect Enum: [protect monitor]
Optional: {}
settings RawExtension Settings is a free-form object that contains the policy configuration
values.
x-kubernetes-embedded-resource: false		 Optional: {}
rules RuleWithOperations array Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
failurePolicy FailurePolicyType FailurePolicy defines how unrecognized errors and timeout errors from the
policy are handled. Allowed values are "Ignore" or "Fail".
* "Ignore" means that an error calling the webhook is ignored and the API
request is allowed to continue.
* "Fail" means that an error calling the webhook causes the admission to
fail and the API request to be rejected.
The default behaviour is "Fail"		 Optional: {}
mutating boolean Mutating indicates whether a policy has the ability to mutate
incoming requests or not.
matchPolicy MatchPolicyType matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".


  • Exact: match a request only if it exactly matches a specified rule.
    For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
    but "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
    a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.


  • Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
    For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
    and "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
    a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.


Defaults to "Equivalent"		 Optional: {}
objectSelector LabelSelector ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector. A null
object (oldObject in the case of create, or newObject in the case of
delete) or an object that cannot have labels (like a
DeploymentRollback or a PodProxyOptions object) is not considered to
match.
Use the object selector only if the webhook is opt-in, because end
users may skip the admission webhook by setting the labels.
Default to the empty LabelSelector, which matches everything.		 Optional: {}
sideEffects SideEffectClass SideEffects states whether this webhook has side effects.
Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
Webhooks with side effects MUST implement a reconciliation system, since a request may be
rejected by a future step in the admission change and the side effects therefore need to be undone.
Requests with the dryRun attribute will be auto-rejected if they match a webhook with
sideEffects == Unknown or Some.
timeoutSeconds integer TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
the webhook call will be ignored or the API call will fail based on the
failure policy.
The timeout value must be between 1 and 30 seconds.
Default to 10 seconds.		 10 Optional: {}

PolicyStatusEnum

Underlying type: string

Validation:

  • Enum: [unscheduled scheduled pending active]

Appears in:

Field Description
unscheduled PolicyStatusUnscheduled is a transient state that will continue
to scheduled. This is the default state if no policy server is
assigned.
scheduled PolicyStatusScheduled is a transient state that will continue to
pending. This is the default state if a policy server is
assigned.
pending PolicyStatusPending informs that the policy server exists,
we are reconciling all resources.
active PolicyStatusActive informs that the k8s API server should be
forwarding admission review objects to the policy.