-
Notifications
You must be signed in to change notification settings - Fork 46
Expand file tree
/
Copy pathpolicies.kubewarden.io_admissionpolicygroups.yaml
More file actions
497 lines (491 loc) · 25.1 KB
/
policies.kubewarden.io_admissionpolicygroups.yaml
File metadata and controls
497 lines (491 loc) · 25.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.18.0
name: admissionpolicygroups.policies.kubewarden.io
spec:
group: policies.kubewarden.io
names:
kind: AdmissionPolicyGroup
listKind: AdmissionPolicyGroupList
plural: admissionpolicygroups
shortNames:
- apg
singular: admissionpolicygroup
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Bound to Policy Server
jsonPath: .spec.policyServer
name: Policy Server
type: string
- description: Whether the policy is mutating
jsonPath: .spec.mutating
name: Mutating
type: boolean
- description: Whether the policy is used in audit checks
jsonPath: .spec.backgroundAudit
name: BackgroundAudit
type: boolean
- description: Policy deployment mode
jsonPath: .spec.mode
name: Mode
type: string
- description: Policy deployment mode observed on the assigned Policy Server
jsonPath: .status.mode
name: Observed mode
type: string
- description: Status of the policy
jsonPath: .status.policyStatus
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity']
name: Severity
priority: 1
type: string
- jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category']
name: Category
priority: 1
type: string
name: v1
schema:
openAPIV3Schema:
description: AdmissionPolicyGroup is the Schema for the AdmissionPolicyGroups
API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: AdmissionPolicyGroupSpec defines the desired state of AdmissionPolicyGroup.
properties:
backgroundAudit:
default: true
description: |-
BackgroundAudit indicates whether a policy should be used or skipped when
performing audit checks. If false, the policy cannot produce meaningful
evaluation results during audit checks and will be skipped.
The default is "true".
type: boolean
expression:
description: |-
Expression is the evaluation expression to accept or reject the
admission request under evaluation. This field uses CEL as the
expression language for the policy groups. Each policy in the group
will be represented as a function call in the expression with the
same name as the policy defined in the group. The expression field
should be a valid CEL expression that evaluates to a boolean value.
If the expression evaluates to true, the group policy will be
considered as accepted, otherwise, it will be considered as
rejected. This expression allows grouping policies calls and perform
logical operations on the results of the policies. See Kubewarden
documentation to learn about all the features available.
type: string
failurePolicy:
description: |-
FailurePolicy defines how unrecognized errors and timeout errors from the
policy are handled. Allowed values are "Ignore" or "Fail".
* "Ignore" means that an error calling the webhook is ignored and the API
request is allowed to continue.
* "Fail" means that an error calling the webhook causes the admission to
fail and the API request to be rejected.
The default behaviour is "Fail"
type: string
matchConditions:
description: |-
MatchConditions are a list of conditions that must be met for a request to be
validated. Match conditions filter requests that have already been matched by
the rules, namespaceSelector, and objectSelector. An empty list of
matchConditions matches all requests. There are a maximum of 64 match
conditions allowed. If a parameter object is provided, it can be accessed via
the `params` handle in the same manner as validation expressions. The exact
matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
is evaluated. 3. If any matchCondition evaluates to an error (but none are
FALSE): - If failurePolicy=Fail, reject the request - If
failurePolicy=Ignore, the policy is skipped.
Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
items:
description: MatchCondition represents a condition which must by
fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required.
type: string
name:
description: |-
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes. A good name should be descriptive of
the associated expression.
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
Required.
type: string
required:
- expression
- name
type: object
type: array
matchPolicy:
description: |-
matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
<ul>
<li>
Exact: match a request only if it exactly matches a specified rule.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
</li>
<li>
Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
</li>
</ul>
Defaults to "Equivalent"
type: string
message:
description: |-
Message is used to specify the message that will be returned when
the policy group is rejected. The specific policy results will be
returned in the warning field of the response.
type: string
mode:
default: protect
description: |-
Mode defines the execution mode of this policy. Can be set to
either "protect" or "monitor". If it's empty, it is defaulted to
"protect".
Transitioning this setting from "monitor" to "protect" is
allowed, but is disallowed to transition from "protect" to
"monitor". To perform this transition, the policy should be
recreated in "monitor" mode instead.
enum:
- protect
- monitor
type: string
objectSelector:
description: |-
ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector. A null
object (oldObject in the case of create, or newObject in the case of
delete) or an object that cannot have labels (like a
DeploymentRollback or a PodProxyOptions object) is not considered to
match.
Use the object selector only if the webhook is opt-in, because end
users may skip the admission webhook by setting the labels.
Default to the empty LabelSelector, which matches everything.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
policies:
additionalProperties:
properties:
module:
description: |-
Module is the location of the WASM module to be loaded. Can be a
local file (file://), a remote file served by an HTTP server
(http://, https://), or an artifact served by an OCI-compatible
registry (registry://).
If prefix is missing, it will default to registry:// and use that
internally.
type: string
settings:
description: |-
Settings is a free-form object that contains the policy configuration
values.
x-kubernetes-embedded-resource: false
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
timeoutEvalSeconds:
description: |-
TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
the timeout passes, the policy evaluation call will fail based on the
failure policy.
The timeout value must be between 2 and 30 seconds.
format: int32
maximum: 30
minimum: 2
type: integer
required:
- module
type: object
description: |-
Policies is a list of policies that are part of the group that will
be available to be called in the evaluation expression field.
Each policy in the group should be a Kubewarden policy.
type: object
policyServer:
default: default
description: PolicyServer identifies an existing PolicyServer resource.
type: string
rules:
description: |-
Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches _any_ Rule.
items:
description: |-
RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
sure that all the tuple expansions are valid.
properties:
apiGroups:
description: |-
APIGroups is the API groups the resources belong to. '*' is all groups.
If '*' is present, the length of the slice must be one.
Required.
items:
type: string
type: array
x-kubernetes-list-type: atomic
apiVersions:
description: |-
APIVersions is the API versions the resources belong to. '*' is all versions.
If '*' is present, the length of the slice must be one.
Required.
items:
type: string
type: array
x-kubernetes-list-type: atomic
operations:
description: |-
Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
for all of those operations and any future admission operations that are added.
If '*' is present, the length of the slice must be one.
Required.
items:
description: OperationType specifies an operation for a request.
type: string
type: array
x-kubernetes-list-type: atomic
resources:
description: |-
Resources is a list of resources this rule applies to.
For example:
'pods' means pods.
'pods/log' means the log subresource of pods.
'*' means all resources, but not subresources.
'pods/*' means all subresources of pods.
'*/scale' means all scale subresources.
'*/*' means all resources and their subresources.
If wildcard is present, the validation rule will ensure resources do not
overlap with each other.
Depending on the enclosing object, subresources might not be allowed.
Required.
items:
type: string
type: array
x-kubernetes-list-type: atomic
scope:
description: |-
scope specifies the scope of this rule.
Valid values are "Cluster", "Namespaced", and "*"
"Cluster" means that only cluster-scoped resources will match this rule.
Namespace API objects are cluster-scoped.
"Namespaced" means that only namespaced resources will match this rule.
"*" means that there are no scope restrictions.
Subresources match the scope of their parent resource.
Default is "*".
type: string
type: object
type: array
sideEffects:
description: |-
SideEffects states whether this webhook has side effects.
Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
Webhooks with side effects MUST implement a reconciliation system, since a request may be
rejected by a future step in the admission change and the side effects therefore need to be undone.
Requests with the dryRun attribute will be auto-rejected if they match a webhook with
sideEffects == Unknown or Some.
type: string
timeoutSeconds:
default: 10
description: |-
TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
the webhook call will be ignored or the API call will fail based on the
failure policy.
The timeout value must be between 2 and 30 seconds.
Default to 10 seconds.
format: int32
maximum: 30
minimum: 2
type: integer
required:
- expression
- message
- policies
- rules
type: object
status:
description: PolicyStatus defines the observed state of ClusterAdmissionPolicy
and AdmissionPolicy.
properties:
conditions:
description: |-
Conditions represent the observed conditions of the
ClusterAdmissionPolicy resource. Known .status.conditions.types
are: "PolicyServerSecretReconciled",
"PolicyServerConfigMapReconciled",
"PolicyServerDeploymentReconciled",
"PolicyServerServiceReconciled" and
"AdmissionPolicyActive"
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
mode:
description: |-
PolicyMode represents the observed policy mode of this policy in
the associated PolicyServer configuration
enum:
- protect
- monitor
- unknown
type: string
policyStatus:
description: PolicyStatus represents the observed status of the policy
enum:
- unscheduled
- scheduled
- pending
- active
type: string
required:
- policyStatus
type: object
type: object
served: true
storage: true
subresources:
status: {}