@@ -474,3 +474,368 @@ spec:
474474 storage : true
475475 subresources :
476476 status : {}
477+ - additionalPrinterColumns :
478+ - description : Bound to Policy Server
479+ jsonPath : .spec.policyServer
480+ name : Policy Server
481+ type : string
482+ - description : Whether the policy is mutating
483+ jsonPath : .spec.mutating
484+ name : Mutating
485+ type : boolean
486+ - description : Policy deployment mode
487+ jsonPath : .spec.mode
488+ name : Mode
489+ type : string
490+ - description : Policy deployment mode observed on the assigned Policy Server
491+ jsonPath : .status.mode
492+ name : Observed mode
493+ type : string
494+ - description : Status of the policy
495+ jsonPath : .status.policyStatus
496+ name : Status
497+ type : string
498+ deprecated : true
499+ deprecationWarning : This version is deprecated. Please, consider using v1
500+ name : v1alpha2
501+ schema :
502+ openAPIV3Schema :
503+ description : AdmissionPolicy is the Schema for the admissionpolicies API
504+ properties :
505+ apiVersion :
506+ description : |-
507+ APIVersion defines the versioned schema of this representation of an object.
508+ Servers should convert recognized schemas to the latest internal value, and
509+ may reject unrecognized values.
510+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
511+ type : string
512+ kind :
513+ description : |-
514+ Kind is a string value representing the REST resource this object represents.
515+ Servers may infer this from the endpoint the client submits requests to.
516+ Cannot be updated.
517+ In CamelCase.
518+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
519+ type : string
520+ metadata :
521+ type : object
522+ spec :
523+ description : AdmissionPolicySpec defines the desired state of AdmissionPolicy.
524+ properties :
525+ failurePolicy :
526+ description : |-
527+ FailurePolicy defines how unrecognized errors and timeout errors from the
528+ policy are handled. Allowed values are "Ignore" or "Fail".
529+ * "Ignore" means that an error calling the webhook is ignored and the API
530+ request is allowed to continue.
531+ * "Fail" means that an error calling the webhook causes the admission to
532+ fail and the API request to be rejected.
533+ The default behaviour is "Fail"
534+ type : string
535+ matchPolicy :
536+ description : |-
537+ matchPolicy defines how the "rules" list is used to match incoming requests.
538+ Allowed values are "Exact" or "Equivalent".
539+ <ul>
540+ <li>
541+ Exact: match a request only if it exactly matches a specified rule.
542+ For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
543+ but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
544+ a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
545+ </li>
546+ <li>
547+ Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
548+ For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
549+ and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
550+ a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
551+ </li>
552+ </ul>
553+ Defaults to "Equivalent"
554+ type : string
555+ mode :
556+ default : protect
557+ description : |-
558+ Mode defines the execution mode of this policy. Can be set to
559+ either "protect" or "monitor". If it's empty, it is defaulted to
560+ "protect".
561+ Transitioning this setting from "monitor" to "protect" is
562+ allowed, but is disallowed to transition from "protect" to
563+ "monitor". To perform this transition, the policy should be
564+ recreated in "monitor" mode instead.
565+ enum :
566+ - protect
567+ - monitor
568+ type : string
569+ module :
570+ description : |-
571+ Module is the location of the WASM module to be loaded. Can be a
572+ local file (file://), a remote file served by an HTTP server
573+ (http://, https://), or an artifact served by an OCI-compatible
574+ registry (registry://).
575+ type : string
576+ mutating :
577+ description : |-
578+ Mutating indicates whether a policy has the ability to mutate
579+ incoming requests or not.
580+ type : boolean
581+ objectSelector :
582+ description : |-
583+ ObjectSelector decides whether to run the webhook based on if the
584+ object has matching labels. objectSelector is evaluated against both
585+ the oldObject and newObject that would be sent to the webhook, and
586+ is considered to match if either object matches the selector. A null
587+ object (oldObject in the case of create, or newObject in the case of
588+ delete) or an object that cannot have labels (like a
589+ DeploymentRollback or a PodProxyOptions object) is not considered to
590+ match.
591+ Use the object selector only if the webhook is opt-in, because end
592+ users may skip the admission webhook by setting the labels.
593+ Default to the empty LabelSelector, which matches everything.
594+ properties :
595+ matchExpressions :
596+ description : matchExpressions is a list of label selector requirements.
597+ The requirements are ANDed.
598+ items :
599+ description : |-
600+ A label selector requirement is a selector that contains values, a key, and an operator that
601+ relates the key and values.
602+ properties :
603+ key :
604+ description : key is the label key that the selector applies
605+ to.
606+ type : string
607+ operator :
608+ description : |-
609+ operator represents a key's relationship to a set of values.
610+ Valid operators are In, NotIn, Exists and DoesNotExist.
611+ type : string
612+ values :
613+ description : |-
614+ values is an array of string values. If the operator is In or NotIn,
615+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
616+ the values array must be empty. This array is replaced during a strategic
617+ merge patch.
618+ items :
619+ type : string
620+ type : array
621+ x-kubernetes-list-type : atomic
622+ required :
623+ - key
624+ - operator
625+ type : object
626+ type : array
627+ x-kubernetes-list-type : atomic
628+ matchLabels :
629+ additionalProperties :
630+ type : string
631+ description : |-
632+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
633+ map is equivalent to an element of matchExpressions, whose key field is "key", the
634+ operator is "In", and the values array contains only "value". The requirements are ANDed.
635+ type : object
636+ type : object
637+ x-kubernetes-map-type : atomic
638+ policyServer :
639+ default : default
640+ description : PolicyServer identifies an existing PolicyServer resource.
641+ type : string
642+ rules :
643+ description : |-
644+ Rules describes what operations on what resources/subresources the webhook cares about.
645+ The webhook cares about an operation if it matches _any_ Rule.
646+ items :
647+ description : |-
648+ RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
649+ sure that all the tuple expansions are valid.
650+ properties :
651+ apiGroups :
652+ description : |-
653+ APIGroups is the API groups the resources belong to. '*' is all groups.
654+ If '*' is present, the length of the slice must be one.
655+ Required.
656+ items :
657+ type : string
658+ type : array
659+ x-kubernetes-list-type : atomic
660+ apiVersions :
661+ description : |-
662+ APIVersions is the API versions the resources belong to. '*' is all versions.
663+ If '*' is present, the length of the slice must be one.
664+ Required.
665+ items :
666+ type : string
667+ type : array
668+ x-kubernetes-list-type : atomic
669+ operations :
670+ description : |-
671+ Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
672+ for all of those operations and any future admission operations that are added.
673+ If '*' is present, the length of the slice must be one.
674+ Required.
675+ items :
676+ description : OperationType specifies an operation for a request.
677+ type : string
678+ type : array
679+ x-kubernetes-list-type : atomic
680+ resources :
681+ description : |-
682+ Resources is a list of resources this rule applies to.
683+
684+ For example:
685+ 'pods' means pods.
686+ 'pods/log' means the log subresource of pods.
687+ '*' means all resources, but not subresources.
688+ 'pods/*' means all subresources of pods.
689+ '*/scale' means all scale subresources.
690+ '*/*' means all resources and their subresources.
691+
692+ If wildcard is present, the validation rule will ensure resources do not
693+ overlap with each other.
694+
695+ Depending on the enclosing object, subresources might not be allowed.
696+ Required.
697+ items :
698+ type : string
699+ type : array
700+ x-kubernetes-list-type : atomic
701+ scope :
702+ description : |-
703+ scope specifies the scope of this rule.
704+ Valid values are "Cluster", "Namespaced", and "*"
705+ "Cluster" means that only cluster-scoped resources will match this rule.
706+ Namespace API objects are cluster-scoped.
707+ "Namespaced" means that only namespaced resources will match this rule.
708+ "*" means that there are no scope restrictions.
709+ Subresources match the scope of their parent resource.
710+ Default is "*".
711+ type : string
712+ type : object
713+ type : array
714+ settings :
715+ description : |-
716+ Settings is a free-form object that contains the policy configuration
717+ values.
718+ x-kubernetes-embedded-resource: false
719+ nullable : true
720+ type : object
721+ x-kubernetes-preserve-unknown-fields : true
722+ sideEffects :
723+ description : |-
724+ SideEffects states whether this webhook has side effects.
725+ Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
726+ Webhooks with side effects MUST implement a reconciliation system, since a request may be
727+ rejected by a future step in the admission change and the side effects therefore need to be undone.
728+ Requests with the dryRun attribute will be auto-rejected if they match a webhook with
729+ sideEffects == Unknown or Some.
730+ type : string
731+ timeoutSeconds :
732+ default : 10
733+ description : |-
734+ TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
735+ the webhook call will be ignored or the API call will fail based on the
736+ failure policy.
737+ The timeout value must be between 1 and 30 seconds.
738+ Default to 10 seconds.
739+ format : int32
740+ type : integer
741+ required :
742+ - module
743+ - mutating
744+ - rules
745+ type : object
746+ status :
747+ description : PolicyStatus defines the observed state of ClusterAdmissionPolicy
748+ and AdmissionPolicy.
749+ properties :
750+ conditions :
751+ description : |-
752+ Conditions represent the observed conditions of the
753+ ClusterAdmissionPolicy resource. Known .status.conditions.types
754+ are: "PolicyServerSecretReconciled",
755+ "PolicyServerConfigMapReconciled",
756+ "PolicyServerDeploymentReconciled",
757+ "PolicyServerServiceReconciled" and
758+ "AdmissionPolicyActive"
759+ items :
760+ description : Condition contains details for one aspect of the current
761+ state of this API Resource.
762+ properties :
763+ lastTransitionTime :
764+ description : |-
765+ lastTransitionTime is the last time the condition transitioned from one status to another.
766+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
767+ format : date-time
768+ type : string
769+ message :
770+ description : |-
771+ message is a human readable message indicating details about the transition.
772+ This may be an empty string.
773+ maxLength : 32768
774+ type : string
775+ observedGeneration :
776+ description : |-
777+ observedGeneration represents the .metadata.generation that the condition was set based upon.
778+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
779+ with respect to the current state of the instance.
780+ format : int64
781+ minimum : 0
782+ type : integer
783+ reason :
784+ description : |-
785+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
786+ Producers of specific condition types may define expected values and meanings for this field,
787+ and whether the values are considered a guaranteed API.
788+ The value should be a CamelCase string.
789+ This field may not be empty.
790+ maxLength : 1024
791+ minLength : 1
792+ pattern : ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
793+ type : string
794+ status :
795+ description : status of the condition, one of True, False, Unknown.
796+ enum :
797+ - " True"
798+ - " False"
799+ - Unknown
800+ type : string
801+ type :
802+ description : type of condition in CamelCase or in foo.example.com/CamelCase.
803+ maxLength : 316
804+ pattern : ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
805+ type : string
806+ required :
807+ - lastTransitionTime
808+ - message
809+ - reason
810+ - status
811+ - type
812+ type : object
813+ type : array
814+ x-kubernetes-list-map-keys :
815+ - type
816+ x-kubernetes-list-type : map
817+ mode :
818+ description : |-
819+ PolicyMode represents the observed policy mode of this policy in
820+ the associated PolicyServer configuration
821+ enum :
822+ - protect
823+ - monitor
824+ - unknown
825+ type : string
826+ policyStatus :
827+ description : PolicyStatus represents the observed status of the policy
828+ enum :
829+ - unscheduled
830+ - scheduled
831+ - pending
832+ - active
833+ type : string
834+ required :
835+ - policyStatus
836+ type : object
837+ type : object
838+ served : true
839+ storage : false
840+ subresources :
841+ status : {}
0 commit comments