diff --git a/Makefile b/Makefile
index 46148fc46..21f5f1f0f 100644
--- a/Makefile
+++ b/Makefile
@@ -159,8 +159,10 @@ manifests: ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefin
$(GO_BUILD_ENV) $(CONTROLLER_GEN) rbac:roleName=kubewarden-controller-manager,fileName=controller-rbac-roles.yaml crd webhook \
paths="./api/policies/v1" paths="./api/policies/v1alpha2" \
paths="./internal/controller" paths="./cmd/controller" \
- output:crd:artifacts:config=charts/kubewarden-crds/templates \
- output:rbac:artifacts:config=charts/kubewarden-controller/templates
+ output:crd:artifacts:config=charts/kubewarden-crds/templates/crds \
+ output:rbac:artifacts:config=charts/kubewarden-controller/templates \
+ output:webhook:artifacts:config=charts/kubewarden-controller/templates
+ mv charts/kubewarden-controller/templates/manifests.yaml charts/kubewarden-controller/templates/webhooks.yaml
sed -i '/^metadata:/a\ labels:\n {{- include "kubewarden-controller.labels" . | nindent 4 }}\n annotations:\n {{- include "kubewarden-controller.annotations" . | nindent 4 }}' charts/kubewarden-controller/templates/controller-rbac-roles.yaml
sed -i 's/ namespace: kubewarden/ namespace: {{ .Release.Namespace }}/' charts/kubewarden-controller/templates/controller-rbac-roles.yaml
diff --git a/charts/kubewarden-controller/tests/webhooks_coverage_test.yaml b/charts/kubewarden-controller/tests/webhooks_coverage_test.yaml
new file mode 100644
index 000000000..2f1efd638
--- /dev/null
+++ b/charts/kubewarden-controller/tests/webhooks_coverage_test.yaml
@@ -0,0 +1,299 @@
+suite: webhooks Helm templating coverage
+templates:
+ - webhooks.yaml
+release:
+ namespace: "kubewarden"
+
+tests:
+ # ── Group 1: Resource names must be kubewarden-controller-prefixed, not plain controller-gen names ──
+
+ - it: "MutatingWebhookConfiguration should have the kubewarden-controller-prefixed name"
+ documentSelector:
+ path: kind
+ value: MutatingWebhookConfiguration
+ asserts:
+ - equal:
+ path: metadata.name
+ value: kubewarden-controller-mutating-webhook-configuration
+
+ - it: "ValidatingWebhookConfiguration should have the kubewarden-controller-prefixed name"
+ documentSelector:
+ path: kind
+ value: ValidatingWebhookConfiguration
+ asserts:
+ - equal:
+ path: metadata.name
+ value: kubewarden-controller-validating-webhook-configuration
+
+ # ── Group 2: Helm labels and annotations must be present on webhook configs ──
+
+ - it: "MutatingWebhookConfiguration should have Helm labels"
+ documentSelector:
+ path: kind
+ value: MutatingWebhookConfiguration
+ asserts:
+ - isNotNullOrEmpty:
+ path: metadata.labels
+ - equal:
+ path: metadata.labels["app.kubernetes.io/managed-by"]
+ value: Helm
+
+ - it: "ValidatingWebhookConfiguration should have Helm labels"
+ documentSelector:
+ path: kind
+ value: ValidatingWebhookConfiguration
+ asserts:
+ - isNotNullOrEmpty:
+ path: metadata.labels
+ - equal:
+ path: metadata.labels["app.kubernetes.io/managed-by"]
+ value: Helm
+
+ # ── Group 3: caBundle must be present on all webhooks ──
+
+ - it: "all mutating webhooks should have caBundle injected"
+ documentSelector:
+ path: kind
+ value: MutatingWebhookConfiguration
+ asserts:
+ - isNotNullOrEmpty:
+ path: webhooks[0].clientConfig.caBundle
+ - isNotNullOrEmpty:
+ path: webhooks[1].clientConfig.caBundle
+ - isNotNullOrEmpty:
+ path: webhooks[2].clientConfig.caBundle
+ - isNotNullOrEmpty:
+ path: webhooks[3].clientConfig.caBundle
+ - isNotNullOrEmpty:
+ path: webhooks[4].clientConfig.caBundle
+
+ - it: "all validating webhooks should have caBundle injected"
+ documentSelector:
+ path: kind
+ value: ValidatingWebhookConfiguration
+ asserts:
+ - isNotNullOrEmpty:
+ path: webhooks[0].clientConfig.caBundle
+ - isNotNullOrEmpty:
+ path: webhooks[1].clientConfig.caBundle
+ - isNotNullOrEmpty:
+ path: webhooks[2].clientConfig.caBundle
+ - isNotNullOrEmpty:
+ path: webhooks[3].clientConfig.caBundle
+ - isNotNullOrEmpty:
+ path: webhooks[4].clientConfig.caBundle
+
+ # ── Group 4: service.name must use the release name prefix, not plain 'webhook-service' ──
+
+ - it: "mutating webhooks should use release-prefixed service name, not plain 'webhook-service'"
+ documentSelector:
+ path: kind
+ value: MutatingWebhookConfiguration
+ asserts:
+ - matchRegex:
+ path: webhooks[0].clientConfig.service.name
+ pattern: "^.+-webhook-service$"
+ - notEqual:
+ path: webhooks[0].clientConfig.service.name
+ value: webhook-service
+
+ - it: "validating webhooks should use release-prefixed service name, not plain 'webhook-service'"
+ documentSelector:
+ path: kind
+ value: ValidatingWebhookConfiguration
+ asserts:
+ - matchRegex:
+ path: webhooks[0].clientConfig.service.name
+ pattern: "^.+-webhook-service$"
+ - notEqual:
+ path: webhooks[0].clientConfig.service.name
+ value: webhook-service
+
+ # ── Group 5: service.namespace must use the release namespace, not controller-gen's 'system' ──
+
+ - it: "mutating webhooks should use the release namespace, not 'system'"
+ documentSelector:
+ path: kind
+ value: MutatingWebhookConfiguration
+ asserts:
+ - equal:
+ path: webhooks[0].clientConfig.service.namespace
+ value: kubewarden
+ - notEqual:
+ path: webhooks[0].clientConfig.service.namespace
+ value: system
+
+ - it: "validating webhooks should use the release namespace, not 'system'"
+ documentSelector:
+ path: kind
+ value: ValidatingWebhookConfiguration
+ asserts:
+ - equal:
+ path: webhooks[0].clientConfig.service.namespace
+ value: kubewarden
+ - notEqual:
+ path: webhooks[0].clientConfig.service.namespace
+ value: system
+
+ # ── Group 6: the 3 TLS/CA Secret documents must be present ──
+
+ - it: "kubewarden-ca Secret should be present"
+ documentSelector:
+ path: metadata.name
+ value: kubewarden-ca
+ asserts:
+ - equal:
+ path: kind
+ value: Secret
+
+ - it: "kubewarden-webhook-server-cert Secret should be present"
+ documentSelector:
+ path: metadata.name
+ value: kubewarden-webhook-server-cert
+ asserts:
+ - equal:
+ path: kind
+ value: Secret
+
+ - it: "kubewarden-audit-scanner-client-cert Secret should be present"
+ documentSelector:
+ path: metadata.name
+ value: kubewarden-audit-scanner-client-cert
+ asserts:
+ - equal:
+ path: kind
+ value: Secret
+
+ # ── Group 7: webhook count must match what controller-gen produces ──
+
+ - it: "MutatingWebhookConfiguration should have exactly 5 webhooks"
+ documentSelector:
+ path: kind
+ value: MutatingWebhookConfiguration
+ asserts:
+ - lengthEqual:
+ path: webhooks
+ count: 5
+
+ - it: "ValidatingWebhookConfiguration should have exactly 5 webhooks"
+ documentSelector:
+ path: kind
+ value: ValidatingWebhookConfiguration
+ asserts:
+ - lengthEqual:
+ path: webhooks
+ count: 5
+
+ # ── Group 8: each mutating webhook must be present with correct name and service path ──
+ # Note: helm-unittest `contains` does not support deep partial matching on nested fields,
+ # so we check `name` presence separately from the service `path` per index.
+
+ - it: "MutatingWebhookConfiguration should have all expected webhook names"
+ documentSelector:
+ path: kind
+ value: MutatingWebhookConfiguration
+ asserts:
+ - contains:
+ path: webhooks
+ any: true
+ content:
+ name: madmissionpolicy.kb.io
+ - contains:
+ path: webhooks
+ any: true
+ content:
+ name: madmissionpolicygroup.kb.io
+ - contains:
+ path: webhooks
+ any: true
+ content:
+ name: mclusteradmissionpolicy.kb.io
+ - contains:
+ path: webhooks
+ any: true
+ content:
+ name: mclusteradmissionpolicygroup.kb.io
+ - contains:
+ path: webhooks
+ any: true
+ content:
+ name: mpolicyserver.kb.io
+
+ - it: "MutatingWebhookConfiguration should have correct service paths for all webhooks"
+ documentSelector:
+ path: kind
+ value: MutatingWebhookConfiguration
+ asserts:
+ # Order matches webhooks.yaml: clusteradmissionpolicy, clusteradmissionpolicygroup,
+ # policyserver, admissionpolicy, admissionpolicygroup
+ - equal:
+ path: webhooks[0].clientConfig.service.path
+ value: /mutate-policies-kubewarden-io-v1-clusteradmissionpolicy
+ - equal:
+ path: webhooks[1].clientConfig.service.path
+ value: /mutate-policies-kubewarden-io-v1-clusteradmissionpolicygroup
+ - equal:
+ path: webhooks[2].clientConfig.service.path
+ value: /mutate-policies-kubewarden-io-v1-policyserver
+ - equal:
+ path: webhooks[3].clientConfig.service.path
+ value: /mutate-policies-kubewarden-io-v1-admissionpolicy
+ - equal:
+ path: webhooks[4].clientConfig.service.path
+ value: /mutate-policies-kubewarden-io-v1-admissionpolicygroup
+
+ # ── Group 8 (cont.): each validating webhook must be present with correct name and service path ──
+
+ - it: "ValidatingWebhookConfiguration should have all expected webhook names"
+ documentSelector:
+ path: kind
+ value: ValidatingWebhookConfiguration
+ asserts:
+ - contains:
+ path: webhooks
+ any: true
+ content:
+ name: vadmissionpolicy.kb.io
+ - contains:
+ path: webhooks
+ any: true
+ content:
+ name: vadmissionpolicygroup.kb.io
+ - contains:
+ path: webhooks
+ any: true
+ content:
+ name: vclusteradmissionpolicy.kb.io
+ - contains:
+ path: webhooks
+ any: true
+ content:
+ name: vclusteradmissionpolicygroup.kb.io
+ - contains:
+ path: webhooks
+ any: true
+ content:
+ name: vpolicyserver.kb.io
+
+ - it: "ValidatingWebhookConfiguration should have correct service paths for all webhooks"
+ documentSelector:
+ path: kind
+ value: ValidatingWebhookConfiguration
+ asserts:
+ # Order matches webhooks.yaml: clusteradmissionpolicy, clusteradmissionpolicygroup,
+ # admissionpolicy, admissionpolicygroup, policyserver
+ - equal:
+ path: webhooks[0].clientConfig.service.path
+ value: /validate-policies-kubewarden-io-v1-clusteradmissionpolicy
+ - equal:
+ path: webhooks[1].clientConfig.service.path
+ value: /validate-policies-kubewarden-io-v1-clusteradmissionpolicygroup
+ - equal:
+ path: webhooks[2].clientConfig.service.path
+ value: /validate-policies-kubewarden-io-v1-admissionpolicy
+ - equal:
+ path: webhooks[3].clientConfig.service.path
+ value: /validate-policies-kubewarden-io-v1-admissionpolicygroup
+ - equal:
+ path: webhooks[4].clientConfig.service.path
+ value: /validate-policies-kubewarden-io-v1-policyserver
diff --git a/charts/kubewarden-crds/templates/policies.kubewarden.io_admissionpolicies.yaml b/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_admissionpolicies.yaml
similarity index 100%
rename from charts/kubewarden-crds/templates/policies.kubewarden.io_admissionpolicies.yaml
rename to charts/kubewarden-crds/templates/crds/policies.kubewarden.io_admissionpolicies.yaml
diff --git a/charts/kubewarden-crds/templates/policies.kubewarden.io_admissionpolicygroups.yaml b/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_admissionpolicygroups.yaml
similarity index 100%
rename from charts/kubewarden-crds/templates/policies.kubewarden.io_admissionpolicygroups.yaml
rename to charts/kubewarden-crds/templates/crds/policies.kubewarden.io_admissionpolicygroups.yaml
diff --git a/charts/kubewarden-crds/templates/policies.kubewarden.io_clusteradmissionpolicies.yaml b/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_clusteradmissionpolicies.yaml
similarity index 100%
rename from charts/kubewarden-crds/templates/policies.kubewarden.io_clusteradmissionpolicies.yaml
rename to charts/kubewarden-crds/templates/crds/policies.kubewarden.io_clusteradmissionpolicies.yaml
diff --git a/charts/kubewarden-crds/templates/policies.kubewarden.io_clusteradmissionpolicygroups.yaml b/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_clusteradmissionpolicygroups.yaml
similarity index 100%
rename from charts/kubewarden-crds/templates/policies.kubewarden.io_clusteradmissionpolicygroups.yaml
rename to charts/kubewarden-crds/templates/crds/policies.kubewarden.io_clusteradmissionpolicygroups.yaml
diff --git a/charts/kubewarden-crds/templates/policies.kubewarden.io_policyservers.yaml b/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_policyservers.yaml
similarity index 100%
rename from charts/kubewarden-crds/templates/policies.kubewarden.io_policyservers.yaml
rename to charts/kubewarden-crds/templates/crds/policies.kubewarden.io_policyservers.yaml
diff --git a/charts/kubewarden-crds/tests/crds_test.yaml b/charts/kubewarden-crds/tests/crds_test.yaml
index 047819018..1911dfdf6 100644
--- a/charts/kubewarden-crds/tests/crds_test.yaml
+++ b/charts/kubewarden-crds/tests/crds_test.yaml
@@ -1,7 +1,7 @@
suite: Kubewarden CRDs
tests:
- it: "admissionpolicies CRD should be a CustomResourceDefinition"
- template: policies.kubewarden.io_admissionpolicies.yaml
+ template: crds/policies.kubewarden.io_admissionpolicies.yaml
asserts:
- equal:
path: kind
@@ -14,7 +14,7 @@ tests:
value: policies.kubewarden.io
- it: "admissionpolicygroups CRD should be a CustomResourceDefinition"
- template: policies.kubewarden.io_admissionpolicygroups.yaml
+ template: crds/policies.kubewarden.io_admissionpolicygroups.yaml
asserts:
- equal:
path: kind
@@ -27,7 +27,7 @@ tests:
value: policies.kubewarden.io
- it: "clusteradmissionpolicies CRD should be a CustomResourceDefinition"
- template: policies.kubewarden.io_clusteradmissionpolicies.yaml
+ template: crds/policies.kubewarden.io_clusteradmissionpolicies.yaml
asserts:
- equal:
path: kind
@@ -40,7 +40,7 @@ tests:
value: policies.kubewarden.io
- it: "clusteradmissionpolicygroups CRD should be a CustomResourceDefinition"
- template: policies.kubewarden.io_clusteradmissionpolicygroups.yaml
+ template: crds/policies.kubewarden.io_clusteradmissionpolicygroups.yaml
asserts:
- equal:
path: kind
@@ -53,7 +53,7 @@ tests:
value: policies.kubewarden.io
- it: "policyservers CRD should be a CustomResourceDefinition"
- template: policies.kubewarden.io_policyservers.yaml
+ template: crds/policies.kubewarden.io_policyservers.yaml
asserts:
- equal:
path: kind
diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml
deleted file mode 100644
index 52d866183..000000000
--- a/config/certmanager/certificate.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-# The following manifests contain a self-signed issuer CR and a certificate CR.
-# More document can be found at https://docs.cert-manager.io
-# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes.
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
- name: selfsigned-issuer
- namespace: system
-spec:
- selfSigned: {}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
- namespace: system
-spec:
- # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
- dnsNames:
- - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
- - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
- issuerRef:
- kind: Issuer
- name: selfsigned-issuer
- secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize
diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml
deleted file mode 100644
index bebea5a59..000000000
--- a/config/certmanager/kustomization.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-resources:
-- certificate.yaml
-
-configurations:
-- kustomizeconfig.yaml
diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml
deleted file mode 100644
index 90d7c313c..000000000
--- a/config/certmanager/kustomizeconfig.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# This configuration is for teaching kustomize how to update name ref and var substitution
-nameReference:
-- kind: Issuer
- group: cert-manager.io
- fieldSpecs:
- - kind: Certificate
- group: cert-manager.io
- path: spec/issuerRef/name
-
-varReference:
-- kind: Certificate
- group: cert-manager.io
- path: spec/commonName
-- kind: Certificate
- group: cert-manager.io
- path: spec/dnsNames
diff --git a/config/crd/bases/policies.kubewarden.io_admissionpolicies.yaml b/config/crd/bases/policies.kubewarden.io_admissionpolicies.yaml
deleted file mode 100644
index 026160c51..000000000
--- a/config/crd/bases/policies.kubewarden.io_admissionpolicies.yaml
+++ /dev/null
@@ -1,841 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
- name: admissionpolicies.policies.kubewarden.io
-spec:
- group: policies.kubewarden.io
- names:
- kind: AdmissionPolicy
- listKind: AdmissionPolicyList
- plural: admissionpolicies
- shortNames:
- - ap
- singular: admissionpolicy
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: Bound to Policy Server
- jsonPath: .spec.policyServer
- name: Policy Server
- type: string
- - description: Whether the policy is mutating
- jsonPath: .spec.mutating
- name: Mutating
- type: boolean
- - description: Whether the policy is used in audit checks
- jsonPath: .spec.backgroundAudit
- name: BackgroundAudit
- type: boolean
- - description: Policy deployment mode
- jsonPath: .spec.mode
- name: Mode
- type: string
- - description: Policy deployment mode observed on the assigned Policy Server
- jsonPath: .status.mode
- name: Observed mode
- type: string
- - description: Status of the policy
- jsonPath: .status.policyStatus
- name: Status
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity']
- name: Severity
- priority: 1
- type: string
- - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category']
- name: Category
- priority: 1
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: AdmissionPolicy is the Schema for the admissionpolicies API
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: AdmissionPolicySpec defines the desired state of AdmissionPolicy.
- properties:
- backgroundAudit:
- default: true
- description: |-
- BackgroundAudit indicates whether a policy should be used or skipped when
- performing audit checks. If false, the policy cannot produce meaningful
- evaluation results during audit checks and will be skipped.
- The default is "true".
- type: boolean
- failurePolicy:
- description: |-
- FailurePolicy defines how unrecognized errors and timeout errors from the
- policy are handled. Allowed values are "Ignore" or "Fail".
- * "Ignore" means that an error calling the webhook is ignored and the API
- request is allowed to continue.
- * "Fail" means that an error calling the webhook causes the admission to
- fail and the API request to be rejected.
- The default behaviour is "Fail"
- type: string
- matchConditions:
- description: |-
- MatchConditions are a list of conditions that must be met for a request to be
- validated. Match conditions filter requests that have already been matched by
- the rules, namespaceSelector, and objectSelector. An empty list of
- matchConditions matches all requests. There are a maximum of 64 match
- conditions allowed. If a parameter object is provided, it can be accessed via
- the `params` handle in the same manner as validation expressions. The exact
- matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
- the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
- is evaluated. 3. If any matchCondition evaluates to an error (but none are
- FALSE): - If failurePolicy=Fail, reject the request - If
- failurePolicy=Ignore, the policy is skipped.
- Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
- items:
- description: MatchCondition represents a condition which must by
- fulfilled for a request to be sent to a webhook.
- properties:
- expression:
- description: |-
- Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
- CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
- 'object' - The object from the incoming request. The value is null for DELETE requests.
- 'oldObject' - The existing object. The value is null for CREATE requests.
- 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
- See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
- request resource.
- Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
- Required.
- type: string
- name:
- description: |-
- Name is an identifier for this match condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes. A good name should be descriptive of
- the associated expression.
- Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
- '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
- optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
- Required.
- type: string
- required:
- - expression
- - name
- type: object
- type: array
- matchPolicy:
- description: |-
- matchPolicy defines how the "rules" list is used to match incoming requests.
- Allowed values are "Exact" or "Equivalent".
-
- -
- Exact: match a request only if it exactly matches a specified rule.
- For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
- but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
- a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
-
- -
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
- For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
- and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
- a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
-
-
- Defaults to "Equivalent"
- type: string
- message:
- description: |-
- Message overrides the rejection message of the policy.
- When provided, the policy's rejection message can be found
- inside of the `.status.details.causes` field of the
- AdmissionResponse object
- type: string
- mode:
- default: protect
- description: |-
- Mode defines the execution mode of this policy. Can be set to
- either "protect" or "monitor". If it's empty, it is defaulted to
- "protect".
- Transitioning this setting from "monitor" to "protect" is
- allowed, but is disallowed to transition from "protect" to
- "monitor". To perform this transition, the policy should be
- recreated in "monitor" mode instead.
- enum:
- - protect
- - monitor
- type: string
- module:
- description: |-
- Module is the location of the WASM module to be loaded. Can be a
- local file (file://), a remote file served by an HTTP server
- (http://, https://), or an artifact served by an OCI-compatible
- registry (registry://).
- If prefix is missing, it will default to registry:// and use that
- internally.
- type: string
- mutating:
- description: |-
- Mutating indicates whether a policy has the ability to mutate
- incoming requests or not.
- type: boolean
- objectSelector:
- description: |-
- ObjectSelector decides whether to run the webhook based on if the
- object has matching labels. objectSelector is evaluated against both
- the oldObject and newObject that would be sent to the webhook, and
- is considered to match if either object matches the selector. A null
- object (oldObject in the case of create, or newObject in the case of
- delete) or an object that cannot have labels (like a
- DeploymentRollback or a PodProxyOptions object) is not considered to
- match.
- Use the object selector only if the webhook is opt-in, because end
- users may skip the admission webhook by setting the labels.
- Default to the empty LabelSelector, which matches everything.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- policyServer:
- default: default
- description: PolicyServer identifies an existing PolicyServer resource.
- type: string
- rules:
- description: |-
- Rules describes what operations on what resources/subresources the webhook cares about.
- The webhook cares about an operation if it matches _any_ Rule.
- items:
- description: |-
- RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
- sure that all the tuple expansions are valid.
- properties:
- apiGroups:
- description: |-
- APIGroups is the API groups the resources belong to. '*' is all groups.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- apiVersions:
- description: |-
- APIVersions is the API versions the resources belong to. '*' is all versions.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- operations:
- description: |-
- Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
- for all of those operations and any future admission operations that are added.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- description: OperationType specifies an operation for a request.
- type: string
- type: array
- x-kubernetes-list-type: atomic
- resources:
- description: |-
- Resources is a list of resources this rule applies to.
-
- For example:
- 'pods' means pods.
- 'pods/log' means the log subresource of pods.
- '*' means all resources, but not subresources.
- 'pods/*' means all subresources of pods.
- '*/scale' means all scale subresources.
- '*/*' means all resources and their subresources.
-
- If wildcard is present, the validation rule will ensure resources do not
- overlap with each other.
-
- Depending on the enclosing object, subresources might not be allowed.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- scope:
- description: |-
- scope specifies the scope of this rule.
- Valid values are "Cluster", "Namespaced", and "*"
- "Cluster" means that only cluster-scoped resources will match this rule.
- Namespace API objects are cluster-scoped.
- "Namespaced" means that only namespaced resources will match this rule.
- "*" means that there are no scope restrictions.
- Subresources match the scope of their parent resource.
- Default is "*".
- type: string
- type: object
- type: array
- settings:
- description: |-
- Settings is a free-form object that contains the policy configuration
- values.
- x-kubernetes-embedded-resource: false
- nullable: true
- type: object
- x-kubernetes-preserve-unknown-fields: true
- sideEffects:
- description: |-
- SideEffects states whether this webhook has side effects.
- Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
- Webhooks with side effects MUST implement a reconciliation system, since a request may be
- rejected by a future step in the admission change and the side effects therefore need to be undone.
- Requests with the dryRun attribute will be auto-rejected if they match a webhook with
- sideEffects == Unknown or Some.
- type: string
- timeoutEvalSeconds:
- description: |-
- TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
- the timeout passes, the policy evaluation call will fail based on the
- failure policy.
- The timeout value must be between 2 and 30 seconds.
- format: int32
- maximum: 30
- minimum: 2
- type: integer
- timeoutSeconds:
- default: 10
- description: |-
- TimeoutSeconds specifies the timeout for the policy webhook. After the timeout passes,
- the webhook call will be ignored or the API call will fail based on the
- failure policy.
- The timeout value must be between 2 and 30 seconds.
- Default to 10 seconds.
- format: int32
- maximum: 30
- minimum: 2
- type: integer
- required:
- - module
- - mutating
- - rules
- type: object
- status:
- description: PolicyStatus defines the observed state of ClusterAdmissionPolicy
- and AdmissionPolicy.
- properties:
- conditions:
- description: |-
- Conditions represent the observed conditions of the
- ClusterAdmissionPolicy resource. Known .status.conditions.types
- are: "PolicyServerSecretReconciled",
- "PolicyServerConfigMapReconciled",
- "PolicyServerDeploymentReconciled",
- "PolicyServerServiceReconciled" and
- "AdmissionPolicyActive"
- items:
- description: Condition contains details for one aspect of the current
- state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- mode:
- description: |-
- PolicyMode represents the observed policy mode of this policy in
- the associated PolicyServer configuration
- enum:
- - protect
- - monitor
- - unknown
- type: string
- policyStatus:
- description: PolicyStatus represents the observed status of the policy
- enum:
- - unscheduled
- - scheduled
- - pending
- - active
- type: string
- required:
- - policyStatus
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: Bound to Policy Server
- jsonPath: .spec.policyServer
- name: Policy Server
- type: string
- - description: Whether the policy is mutating
- jsonPath: .spec.mutating
- name: Mutating
- type: boolean
- - description: Policy deployment mode
- jsonPath: .spec.mode
- name: Mode
- type: string
- - description: Policy deployment mode observed on the assigned Policy Server
- jsonPath: .status.mode
- name: Observed mode
- type: string
- - description: Status of the policy
- jsonPath: .status.policyStatus
- name: Status
- type: string
- deprecated: true
- deprecationWarning: This version is deprecated. Please, consider using v1
- name: v1alpha2
- schema:
- openAPIV3Schema:
- description: AdmissionPolicy is the Schema for the admissionpolicies API
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: AdmissionPolicySpec defines the desired state of AdmissionPolicy.
- properties:
- failurePolicy:
- description: |-
- FailurePolicy defines how unrecognized errors and timeout errors from the
- policy are handled. Allowed values are "Ignore" or "Fail".
- * "Ignore" means that an error calling the webhook is ignored and the API
- request is allowed to continue.
- * "Fail" means that an error calling the webhook causes the admission to
- fail and the API request to be rejected.
- The default behaviour is "Fail"
- type: string
- matchPolicy:
- description: |-
- matchPolicy defines how the "rules" list is used to match incoming requests.
- Allowed values are "Exact" or "Equivalent".
-
- -
- Exact: match a request only if it exactly matches a specified rule.
- For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
- but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
- a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
-
- -
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
- For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
- and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
- a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
-
-
- Defaults to "Equivalent"
- type: string
- mode:
- default: protect
- description: |-
- Mode defines the execution mode of this policy. Can be set to
- either "protect" or "monitor". If it's empty, it is defaulted to
- "protect".
- Transitioning this setting from "monitor" to "protect" is
- allowed, but is disallowed to transition from "protect" to
- "monitor". To perform this transition, the policy should be
- recreated in "monitor" mode instead.
- enum:
- - protect
- - monitor
- type: string
- module:
- description: |-
- Module is the location of the WASM module to be loaded. Can be a
- local file (file://), a remote file served by an HTTP server
- (http://, https://), or an artifact served by an OCI-compatible
- registry (registry://).
- type: string
- mutating:
- description: |-
- Mutating indicates whether a policy has the ability to mutate
- incoming requests or not.
- type: boolean
- objectSelector:
- description: |-
- ObjectSelector decides whether to run the webhook based on if the
- object has matching labels. objectSelector is evaluated against both
- the oldObject and newObject that would be sent to the webhook, and
- is considered to match if either object matches the selector. A null
- object (oldObject in the case of create, or newObject in the case of
- delete) or an object that cannot have labels (like a
- DeploymentRollback or a PodProxyOptions object) is not considered to
- match.
- Use the object selector only if the webhook is opt-in, because end
- users may skip the admission webhook by setting the labels.
- Default to the empty LabelSelector, which matches everything.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- policyServer:
- default: default
- description: PolicyServer identifies an existing PolicyServer resource.
- type: string
- rules:
- description: |-
- Rules describes what operations on what resources/subresources the webhook cares about.
- The webhook cares about an operation if it matches _any_ Rule.
- items:
- description: |-
- RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
- sure that all the tuple expansions are valid.
- properties:
- apiGroups:
- description: |-
- APIGroups is the API groups the resources belong to. '*' is all groups.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- apiVersions:
- description: |-
- APIVersions is the API versions the resources belong to. '*' is all versions.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- operations:
- description: |-
- Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
- for all of those operations and any future admission operations that are added.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- description: OperationType specifies an operation for a request.
- type: string
- type: array
- x-kubernetes-list-type: atomic
- resources:
- description: |-
- Resources is a list of resources this rule applies to.
-
- For example:
- 'pods' means pods.
- 'pods/log' means the log subresource of pods.
- '*' means all resources, but not subresources.
- 'pods/*' means all subresources of pods.
- '*/scale' means all scale subresources.
- '*/*' means all resources and their subresources.
-
- If wildcard is present, the validation rule will ensure resources do not
- overlap with each other.
-
- Depending on the enclosing object, subresources might not be allowed.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- scope:
- description: |-
- scope specifies the scope of this rule.
- Valid values are "Cluster", "Namespaced", and "*"
- "Cluster" means that only cluster-scoped resources will match this rule.
- Namespace API objects are cluster-scoped.
- "Namespaced" means that only namespaced resources will match this rule.
- "*" means that there are no scope restrictions.
- Subresources match the scope of their parent resource.
- Default is "*".
- type: string
- type: object
- type: array
- settings:
- description: |-
- Settings is a free-form object that contains the policy configuration
- values.
- x-kubernetes-embedded-resource: false
- nullable: true
- type: object
- x-kubernetes-preserve-unknown-fields: true
- sideEffects:
- description: |-
- SideEffects states whether this webhook has side effects.
- Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
- Webhooks with side effects MUST implement a reconciliation system, since a request may be
- rejected by a future step in the admission change and the side effects therefore need to be undone.
- Requests with the dryRun attribute will be auto-rejected if they match a webhook with
- sideEffects == Unknown or Some.
- type: string
- timeoutSeconds:
- default: 10
- description: |-
- TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
- the webhook call will be ignored or the API call will fail based on the
- failure policy.
- The timeout value must be between 1 and 30 seconds.
- Default to 10 seconds.
- format: int32
- type: integer
- required:
- - module
- - mutating
- - rules
- type: object
- status:
- description: PolicyStatus defines the observed state of ClusterAdmissionPolicy
- and AdmissionPolicy.
- properties:
- conditions:
- description: |-
- Conditions represent the observed conditions of the
- ClusterAdmissionPolicy resource. Known .status.conditions.types
- are: "PolicyServerSecretReconciled",
- "PolicyServerConfigMapReconciled",
- "PolicyServerDeploymentReconciled",
- "PolicyServerServiceReconciled" and
- "AdmissionPolicyActive"
- items:
- description: Condition contains details for one aspect of the current
- state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- mode:
- description: |-
- PolicyMode represents the observed policy mode of this policy in
- the associated PolicyServer configuration
- enum:
- - protect
- - monitor
- - unknown
- type: string
- policyStatus:
- description: PolicyStatus represents the observed status of the policy
- enum:
- - unscheduled
- - scheduled
- - pending
- - active
- type: string
- required:
- - policyStatus
- type: object
- type: object
- served: true
- storage: false
- subresources:
- status: {}
diff --git a/config/crd/bases/policies.kubewarden.io_admissionpolicygroups.yaml b/config/crd/bases/policies.kubewarden.io_admissionpolicygroups.yaml
deleted file mode 100644
index 16b39c389..000000000
--- a/config/crd/bases/policies.kubewarden.io_admissionpolicygroups.yaml
+++ /dev/null
@@ -1,497 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
- name: admissionpolicygroups.policies.kubewarden.io
-spec:
- group: policies.kubewarden.io
- names:
- kind: AdmissionPolicyGroup
- listKind: AdmissionPolicyGroupList
- plural: admissionpolicygroups
- shortNames:
- - apg
- singular: admissionpolicygroup
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: Bound to Policy Server
- jsonPath: .spec.policyServer
- name: Policy Server
- type: string
- - description: Whether the policy is mutating
- jsonPath: .spec.mutating
- name: Mutating
- type: boolean
- - description: Whether the policy is used in audit checks
- jsonPath: .spec.backgroundAudit
- name: BackgroundAudit
- type: boolean
- - description: Policy deployment mode
- jsonPath: .spec.mode
- name: Mode
- type: string
- - description: Policy deployment mode observed on the assigned Policy Server
- jsonPath: .status.mode
- name: Observed mode
- type: string
- - description: Status of the policy
- jsonPath: .status.policyStatus
- name: Status
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity']
- name: Severity
- priority: 1
- type: string
- - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category']
- name: Category
- priority: 1
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: AdmissionPolicyGroup is the Schema for the AdmissionPolicyGroups
- API
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: AdmissionPolicyGroupSpec defines the desired state of AdmissionPolicyGroup.
- properties:
- backgroundAudit:
- default: true
- description: |-
- BackgroundAudit indicates whether a policy should be used or skipped when
- performing audit checks. If false, the policy cannot produce meaningful
- evaluation results during audit checks and will be skipped.
- The default is "true".
- type: boolean
- expression:
- description: |-
- Expression is the evaluation expression to accept or reject the
- admission request under evaluation. This field uses CEL as the
- expression language for the policy groups. Each policy in the group
- will be represented as a function call in the expression with the
- same name as the policy defined in the group. The expression field
- should be a valid CEL expression that evaluates to a boolean value.
- If the expression evaluates to true, the group policy will be
- considered as accepted, otherwise, it will be considered as
- rejected. This expression allows grouping policies calls and perform
- logical operations on the results of the policies. See Kubewarden
- documentation to learn about all the features available.
- type: string
- failurePolicy:
- description: |-
- FailurePolicy defines how unrecognized errors and timeout errors from the
- policy are handled. Allowed values are "Ignore" or "Fail".
- * "Ignore" means that an error calling the webhook is ignored and the API
- request is allowed to continue.
- * "Fail" means that an error calling the webhook causes the admission to
- fail and the API request to be rejected.
- The default behaviour is "Fail"
- type: string
- matchConditions:
- description: |-
- MatchConditions are a list of conditions that must be met for a request to be
- validated. Match conditions filter requests that have already been matched by
- the rules, namespaceSelector, and objectSelector. An empty list of
- matchConditions matches all requests. There are a maximum of 64 match
- conditions allowed. If a parameter object is provided, it can be accessed via
- the `params` handle in the same manner as validation expressions. The exact
- matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
- the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
- is evaluated. 3. If any matchCondition evaluates to an error (but none are
- FALSE): - If failurePolicy=Fail, reject the request - If
- failurePolicy=Ignore, the policy is skipped.
- Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
- items:
- description: MatchCondition represents a condition which must by
- fulfilled for a request to be sent to a webhook.
- properties:
- expression:
- description: |-
- Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
- CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
- 'object' - The object from the incoming request. The value is null for DELETE requests.
- 'oldObject' - The existing object. The value is null for CREATE requests.
- 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
- See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
- request resource.
- Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
- Required.
- type: string
- name:
- description: |-
- Name is an identifier for this match condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes. A good name should be descriptive of
- the associated expression.
- Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
- '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
- optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
- Required.
- type: string
- required:
- - expression
- - name
- type: object
- type: array
- matchPolicy:
- description: |-
- matchPolicy defines how the "rules" list is used to match incoming requests.
- Allowed values are "Exact" or "Equivalent".
-
- -
- Exact: match a request only if it exactly matches a specified rule.
- For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
- but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
- a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
-
- -
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
- For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
- and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
- a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
-
-
- Defaults to "Equivalent"
- type: string
- message:
- description: |-
- Message is used to specify the message that will be returned when
- the policy group is rejected. The specific policy results will be
- returned in the warning field of the response.
- type: string
- mode:
- default: protect
- description: |-
- Mode defines the execution mode of this policy. Can be set to
- either "protect" or "monitor". If it's empty, it is defaulted to
- "protect".
- Transitioning this setting from "monitor" to "protect" is
- allowed, but is disallowed to transition from "protect" to
- "monitor". To perform this transition, the policy should be
- recreated in "monitor" mode instead.
- enum:
- - protect
- - monitor
- type: string
- objectSelector:
- description: |-
- ObjectSelector decides whether to run the webhook based on if the
- object has matching labels. objectSelector is evaluated against both
- the oldObject and newObject that would be sent to the webhook, and
- is considered to match if either object matches the selector. A null
- object (oldObject in the case of create, or newObject in the case of
- delete) or an object that cannot have labels (like a
- DeploymentRollback or a PodProxyOptions object) is not considered to
- match.
- Use the object selector only if the webhook is opt-in, because end
- users may skip the admission webhook by setting the labels.
- Default to the empty LabelSelector, which matches everything.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- policies:
- additionalProperties:
- properties:
- module:
- description: |-
- Module is the location of the WASM module to be loaded. Can be a
- local file (file://), a remote file served by an HTTP server
- (http://, https://), or an artifact served by an OCI-compatible
- registry (registry://).
- If prefix is missing, it will default to registry:// and use that
- internally.
- type: string
- settings:
- description: |-
- Settings is a free-form object that contains the policy configuration
- values.
- x-kubernetes-embedded-resource: false
- nullable: true
- type: object
- x-kubernetes-preserve-unknown-fields: true
- timeoutEvalSeconds:
- description: |-
- TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
- the timeout passes, the policy evaluation call will fail based on the
- failure policy.
- The timeout value must be between 2 and 30 seconds.
- format: int32
- maximum: 30
- minimum: 2
- type: integer
- required:
- - module
- type: object
- description: |-
- Policies is a list of policies that are part of the group that will
- be available to be called in the evaluation expression field.
- Each policy in the group should be a Kubewarden policy.
- type: object
- policyServer:
- default: default
- description: PolicyServer identifies an existing PolicyServer resource.
- type: string
- rules:
- description: |-
- Rules describes what operations on what resources/subresources the webhook cares about.
- The webhook cares about an operation if it matches _any_ Rule.
- items:
- description: |-
- RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
- sure that all the tuple expansions are valid.
- properties:
- apiGroups:
- description: |-
- APIGroups is the API groups the resources belong to. '*' is all groups.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- apiVersions:
- description: |-
- APIVersions is the API versions the resources belong to. '*' is all versions.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- operations:
- description: |-
- Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
- for all of those operations and any future admission operations that are added.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- description: OperationType specifies an operation for a request.
- type: string
- type: array
- x-kubernetes-list-type: atomic
- resources:
- description: |-
- Resources is a list of resources this rule applies to.
-
- For example:
- 'pods' means pods.
- 'pods/log' means the log subresource of pods.
- '*' means all resources, but not subresources.
- 'pods/*' means all subresources of pods.
- '*/scale' means all scale subresources.
- '*/*' means all resources and their subresources.
-
- If wildcard is present, the validation rule will ensure resources do not
- overlap with each other.
-
- Depending on the enclosing object, subresources might not be allowed.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- scope:
- description: |-
- scope specifies the scope of this rule.
- Valid values are "Cluster", "Namespaced", and "*"
- "Cluster" means that only cluster-scoped resources will match this rule.
- Namespace API objects are cluster-scoped.
- "Namespaced" means that only namespaced resources will match this rule.
- "*" means that there are no scope restrictions.
- Subresources match the scope of their parent resource.
- Default is "*".
- type: string
- type: object
- type: array
- sideEffects:
- description: |-
- SideEffects states whether this webhook has side effects.
- Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
- Webhooks with side effects MUST implement a reconciliation system, since a request may be
- rejected by a future step in the admission change and the side effects therefore need to be undone.
- Requests with the dryRun attribute will be auto-rejected if they match a webhook with
- sideEffects == Unknown or Some.
- type: string
- timeoutSeconds:
- default: 10
- description: |-
- TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
- the webhook call will be ignored or the API call will fail based on the
- failure policy.
- The timeout value must be between 2 and 30 seconds.
- Default to 10 seconds.
- format: int32
- maximum: 30
- minimum: 2
- type: integer
- required:
- - expression
- - message
- - policies
- - rules
- type: object
- status:
- description: PolicyStatus defines the observed state of ClusterAdmissionPolicy
- and AdmissionPolicy.
- properties:
- conditions:
- description: |-
- Conditions represent the observed conditions of the
- ClusterAdmissionPolicy resource. Known .status.conditions.types
- are: "PolicyServerSecretReconciled",
- "PolicyServerConfigMapReconciled",
- "PolicyServerDeploymentReconciled",
- "PolicyServerServiceReconciled" and
- "AdmissionPolicyActive"
- items:
- description: Condition contains details for one aspect of the current
- state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- mode:
- description: |-
- PolicyMode represents the observed policy mode of this policy in
- the associated PolicyServer configuration
- enum:
- - protect
- - monitor
- - unknown
- type: string
- policyStatus:
- description: PolicyStatus represents the observed status of the policy
- enum:
- - unscheduled
- - scheduled
- - pending
- - active
- type: string
- required:
- - policyStatus
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/config/crd/bases/policies.kubewarden.io_clusteradmissionpolicies.yaml b/config/crd/bases/policies.kubewarden.io_clusteradmissionpolicies.yaml
deleted file mode 100644
index b05fcd156..000000000
--- a/config/crd/bases/policies.kubewarden.io_clusteradmissionpolicies.yaml
+++ /dev/null
@@ -1,1056 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
- name: clusteradmissionpolicies.policies.kubewarden.io
-spec:
- group: policies.kubewarden.io
- names:
- kind: ClusterAdmissionPolicy
- listKind: ClusterAdmissionPolicyList
- plural: clusteradmissionpolicies
- shortNames:
- - cap
- singular: clusteradmissionpolicy
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Bound to Policy Server
- jsonPath: .spec.policyServer
- name: Policy Server
- type: string
- - description: Whether the policy is mutating
- jsonPath: .spec.mutating
- name: Mutating
- type: boolean
- - description: Whether the policy is used in audit checks
- jsonPath: .spec.backgroundAudit
- name: BackgroundAudit
- type: boolean
- - description: Policy deployment mode
- jsonPath: .spec.mode
- name: Mode
- type: string
- - description: Policy deployment mode observed on the assigned Policy Server
- jsonPath: .status.mode
- name: Observed mode
- type: string
- - description: Status of the policy
- jsonPath: .status.policyStatus
- name: Status
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity']
- name: Severity
- priority: 1
- type: string
- - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category']
- name: Category
- priority: 1
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies
- API
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy.
- properties:
- allowInsideAdmissionControllerNamespace:
- description: |-
- AllowInsideAdmissionControllerNamespace controls whether the policy should also be
- evaluated for resources in the namespace where Kubewarden is deployed.
- By default (false), an exclusion rule is added to the webhook so that the
- Kubewarden namespace is never targeted, protecting against an accidental
- lockout. Set this to true only if you deliberately want the policy to apply
- inside the Kubewarden namespace.
- Warning: setting this to true may cause a deadlock if the policy prevents
- Kubewarden components from starting.
- type: boolean
- backgroundAudit:
- default: true
- description: |-
- BackgroundAudit indicates whether a policy should be used or skipped when
- performing audit checks. If false, the policy cannot produce meaningful
- evaluation results during audit checks and will be skipped.
- The default is "true".
- type: boolean
- contextAwareResources:
- description: |-
- List of Kubernetes resources the policy is allowed to access at evaluation time.
- Access to these resources is done using the `ServiceAccount` of the PolicyServer
- the policy is assigned to.
- items:
- description: ContextAwareResource identifies a Kubernetes resource.
- properties:
- apiVersion:
- description: apiVersion of the resource (v1 for core group,
- groupName/groupVersions for other).
- type: string
- kind:
- description: Singular PascalCase name of the resource
- type: string
- required:
- - apiVersion
- - kind
- type: object
- type: array
- failurePolicy:
- description: |-
- FailurePolicy defines how unrecognized errors and timeout errors from the
- policy are handled. Allowed values are "Ignore" or "Fail".
- * "Ignore" means that an error calling the webhook is ignored and the API
- request is allowed to continue.
- * "Fail" means that an error calling the webhook causes the admission to
- fail and the API request to be rejected.
- The default behaviour is "Fail"
- type: string
- matchConditions:
- description: |-
- MatchConditions are a list of conditions that must be met for a request to be
- validated. Match conditions filter requests that have already been matched by
- the rules, namespaceSelector, and objectSelector. An empty list of
- matchConditions matches all requests. There are a maximum of 64 match
- conditions allowed. If a parameter object is provided, it can be accessed via
- the `params` handle in the same manner as validation expressions. The exact
- matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
- the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
- is evaluated. 3. If any matchCondition evaluates to an error (but none are
- FALSE): - If failurePolicy=Fail, reject the request - If
- failurePolicy=Ignore, the policy is skipped.
- Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
- items:
- description: MatchCondition represents a condition which must by
- fulfilled for a request to be sent to a webhook.
- properties:
- expression:
- description: |-
- Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
- CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
- 'object' - The object from the incoming request. The value is null for DELETE requests.
- 'oldObject' - The existing object. The value is null for CREATE requests.
- 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
- See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
- request resource.
- Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
- Required.
- type: string
- name:
- description: |-
- Name is an identifier for this match condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes. A good name should be descriptive of
- the associated expression.
- Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
- '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
- optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
- Required.
- type: string
- required:
- - expression
- - name
- type: object
- type: array
- matchPolicy:
- description: |-
- matchPolicy defines how the "rules" list is used to match incoming requests.
- Allowed values are "Exact" or "Equivalent".
-
- -
- Exact: match a request only if it exactly matches a specified rule.
- For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
- but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
- a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
-
- -
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
- For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
- and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
- a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
-
-
- Defaults to "Equivalent"
- type: string
- message:
- description: |-
- Message overrides the rejection message of the policy.
- When provided, the policy's rejection message can be found
- inside of the `.status.details.causes` field of the
- AdmissionResponse object
- type: string
- mode:
- default: protect
- description: |-
- Mode defines the execution mode of this policy. Can be set to
- either "protect" or "monitor". If it's empty, it is defaulted to
- "protect".
- Transitioning this setting from "monitor" to "protect" is
- allowed, but is disallowed to transition from "protect" to
- "monitor". To perform this transition, the policy should be
- recreated in "monitor" mode instead.
- enum:
- - protect
- - monitor
- type: string
- module:
- description: |-
- Module is the location of the WASM module to be loaded. Can be a
- local file (file://), a remote file served by an HTTP server
- (http://, https://), or an artifact served by an OCI-compatible
- registry (registry://).
- If prefix is missing, it will default to registry:// and use that
- internally.
- type: string
- mutating:
- description: |-
- Mutating indicates whether a policy has the ability to mutate
- incoming requests or not.
- type: boolean
- namespaceSelector:
- description: |-
- NamespaceSelector decides whether to run the webhook on an object based
- on whether the namespace for that object matches the selector. If the
- object itself is a namespace, the matching is performed on
- object.metadata.labels. If the object is another cluster scoped resource,
- it never skips the webhook.
-
- For example, to run the webhook on any objects whose namespace is not
- associated with "runlevel" of "0" or "1"; you will set the selector as
- follows:
-
- "namespaceSelector": \{
- "matchExpressions": [
- \{
- "key": "runlevel",
- "operator": "NotIn",
- "values": [
- "0",
- "1"
- ]
- \}
- ]
- \}
-
- If instead you want to only run the webhook on any objects whose
- namespace is associated with the "environment" of "prod" or "staging";
- you will set the selector as follows:
-
- "namespaceSelector": \{
- "matchExpressions": [
- \{
- "key": "environment",
- "operator": "In",
- "values": [
- "prod",
- "staging"
- ]
- \}
- ]
- \}
-
- See
- https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
- for more examples of label selectors.
-
- Default to the empty LabelSelector, which matches everything.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- objectSelector:
- description: |-
- ObjectSelector decides whether to run the webhook based on if the
- object has matching labels. objectSelector is evaluated against both
- the oldObject and newObject that would be sent to the webhook, and
- is considered to match if either object matches the selector. A null
- object (oldObject in the case of create, or newObject in the case of
- delete) or an object that cannot have labels (like a
- DeploymentRollback or a PodProxyOptions object) is not considered to
- match.
- Use the object selector only if the webhook is opt-in, because end
- users may skip the admission webhook by setting the labels.
- Default to the empty LabelSelector, which matches everything.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- policyServer:
- default: default
- description: PolicyServer identifies an existing PolicyServer resource.
- type: string
- rules:
- description: |-
- Rules describes what operations on what resources/subresources the webhook cares about.
- The webhook cares about an operation if it matches _any_ Rule.
- items:
- description: |-
- RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
- sure that all the tuple expansions are valid.
- properties:
- apiGroups:
- description: |-
- APIGroups is the API groups the resources belong to. '*' is all groups.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- apiVersions:
- description: |-
- APIVersions is the API versions the resources belong to. '*' is all versions.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- operations:
- description: |-
- Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
- for all of those operations and any future admission operations that are added.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- description: OperationType specifies an operation for a request.
- type: string
- type: array
- x-kubernetes-list-type: atomic
- resources:
- description: |-
- Resources is a list of resources this rule applies to.
-
- For example:
- 'pods' means pods.
- 'pods/log' means the log subresource of pods.
- '*' means all resources, but not subresources.
- 'pods/*' means all subresources of pods.
- '*/scale' means all scale subresources.
- '*/*' means all resources and their subresources.
-
- If wildcard is present, the validation rule will ensure resources do not
- overlap with each other.
-
- Depending on the enclosing object, subresources might not be allowed.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- scope:
- description: |-
- scope specifies the scope of this rule.
- Valid values are "Cluster", "Namespaced", and "*"
- "Cluster" means that only cluster-scoped resources will match this rule.
- Namespace API objects are cluster-scoped.
- "Namespaced" means that only namespaced resources will match this rule.
- "*" means that there are no scope restrictions.
- Subresources match the scope of their parent resource.
- Default is "*".
- type: string
- type: object
- type: array
- settings:
- description: |-
- Settings is a free-form object that contains the policy configuration
- values.
- x-kubernetes-embedded-resource: false
- nullable: true
- type: object
- x-kubernetes-preserve-unknown-fields: true
- sideEffects:
- description: |-
- SideEffects states whether this webhook has side effects.
- Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
- Webhooks with side effects MUST implement a reconciliation system, since a request may be
- rejected by a future step in the admission change and the side effects therefore need to be undone.
- Requests with the dryRun attribute will be auto-rejected if they match a webhook with
- sideEffects == Unknown or Some.
- type: string
- timeoutEvalSeconds:
- description: |-
- TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
- the timeout passes, the policy evaluation call will fail based on the
- failure policy.
- The timeout value must be between 2 and 30 seconds.
- format: int32
- maximum: 30
- minimum: 2
- type: integer
- timeoutSeconds:
- default: 10
- description: |-
- TimeoutSeconds specifies the timeout for the policy webhook. After the timeout passes,
- the webhook call will be ignored or the API call will fail based on the
- failure policy.
- The timeout value must be between 2 and 30 seconds.
- Default to 10 seconds.
- format: int32
- maximum: 30
- minimum: 2
- type: integer
- required:
- - module
- - mutating
- - rules
- type: object
- status:
- description: PolicyStatus defines the observed state of ClusterAdmissionPolicy
- and AdmissionPolicy.
- properties:
- conditions:
- description: |-
- Conditions represent the observed conditions of the
- ClusterAdmissionPolicy resource. Known .status.conditions.types
- are: "PolicyServerSecretReconciled",
- "PolicyServerConfigMapReconciled",
- "PolicyServerDeploymentReconciled",
- "PolicyServerServiceReconciled" and
- "AdmissionPolicyActive"
- items:
- description: Condition contains details for one aspect of the current
- state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- mode:
- description: |-
- PolicyMode represents the observed policy mode of this policy in
- the associated PolicyServer configuration
- enum:
- - protect
- - monitor
- - unknown
- type: string
- policyStatus:
- description: PolicyStatus represents the observed status of the policy
- enum:
- - unscheduled
- - scheduled
- - pending
- - active
- type: string
- required:
- - policyStatus
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: Bound to Policy Server
- jsonPath: .spec.policyServer
- name: Policy Server
- type: string
- - description: Whether the policy is mutating
- jsonPath: .spec.mutating
- name: Mutating
- type: boolean
- - description: Policy deployment mode
- jsonPath: .spec.mode
- name: Mode
- type: string
- - description: Policy deployment mode observed on the assigned Policy Server
- jsonPath: .status.mode
- name: Observed mode
- type: string
- - description: Status of the policy
- jsonPath: .status.policyStatus
- name: Status
- type: string
- deprecated: true
- deprecationWarning: This version is deprecated. Please, consider using v1
- name: v1alpha2
- schema:
- openAPIV3Schema:
- description: ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies
- API
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy.
- properties:
- failurePolicy:
- description: |-
- FailurePolicy defines how unrecognized errors and timeout errors from the
- policy are handled. Allowed values are "Ignore" or "Fail".
- * "Ignore" means that an error calling the webhook is ignored and the API
- request is allowed to continue.
- * "Fail" means that an error calling the webhook causes the admission to
- fail and the API request to be rejected.
- The default behaviour is "Fail"
- type: string
- matchPolicy:
- description: |-
- matchPolicy defines how the "rules" list is used to match incoming requests.
- Allowed values are "Exact" or "Equivalent".
-
- -
- Exact: match a request only if it exactly matches a specified rule.
- For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
- but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
- a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
-
- -
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
- For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
- and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
- a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
-
-
- Defaults to "Equivalent"
- type: string
- mode:
- default: protect
- description: |-
- Mode defines the execution mode of this policy. Can be set to
- either "protect" or "monitor". If it's empty, it is defaulted to
- "protect".
- Transitioning this setting from "monitor" to "protect" is
- allowed, but is disallowed to transition from "protect" to
- "monitor". To perform this transition, the policy should be
- recreated in "monitor" mode instead.
- enum:
- - protect
- - monitor
- type: string
- module:
- description: |-
- Module is the location of the WASM module to be loaded. Can be a
- local file (file://), a remote file served by an HTTP server
- (http://, https://), or an artifact served by an OCI-compatible
- registry (registry://).
- type: string
- mutating:
- description: |-
- Mutating indicates whether a policy has the ability to mutate
- incoming requests or not.
- type: boolean
- namespaceSelector:
- description: |-
- NamespaceSelector decides whether to run the webhook on an object based
- on whether the namespace for that object matches the selector. If the
- object itself is a namespace, the matching is performed on
- object.metadata.labels. If the object is another cluster scoped resource,
- it never skips the webhook.
-
- For example, to run the webhook on any objects whose namespace is not
- associated with "runlevel" of "0" or "1"; you will set the selector as
- follows:
-
- "namespaceSelector": \{
- "matchExpressions": [
- \{
- "key": "runlevel",
- "operator": "NotIn",
- "values": [
- "0",
- "1"
- ]
- \}
- ]
- \}
-
- If instead you want to only run the webhook on any objects whose
- namespace is associated with the "environment" of "prod" or "staging";
- you will set the selector as follows:
-
- "namespaceSelector": \{
- "matchExpressions": [
- \{
- "key": "environment",
- "operator": "In",
- "values": [
- "prod",
- "staging"
- ]
- \}
- ]
- \}
-
- See
- https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
- for more examples of label selectors.
-
- Default to the empty LabelSelector, which matches everything.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- objectSelector:
- description: |-
- ObjectSelector decides whether to run the webhook based on if the
- object has matching labels. objectSelector is evaluated against both
- the oldObject and newObject that would be sent to the webhook, and
- is considered to match if either object matches the selector. A null
- object (oldObject in the case of create, or newObject in the case of
- delete) or an object that cannot have labels (like a
- DeploymentRollback or a PodProxyOptions object) is not considered to
- match.
- Use the object selector only if the webhook is opt-in, because end
- users may skip the admission webhook by setting the labels.
- Default to the empty LabelSelector, which matches everything.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- policyServer:
- default: default
- description: PolicyServer identifies an existing PolicyServer resource.
- type: string
- rules:
- description: |-
- Rules describes what operations on what resources/subresources the webhook cares about.
- The webhook cares about an operation if it matches _any_ Rule.
- items:
- description: |-
- RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
- sure that all the tuple expansions are valid.
- properties:
- apiGroups:
- description: |-
- APIGroups is the API groups the resources belong to. '*' is all groups.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- apiVersions:
- description: |-
- APIVersions is the API versions the resources belong to. '*' is all versions.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- operations:
- description: |-
- Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
- for all of those operations and any future admission operations that are added.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- description: OperationType specifies an operation for a request.
- type: string
- type: array
- x-kubernetes-list-type: atomic
- resources:
- description: |-
- Resources is a list of resources this rule applies to.
-
- For example:
- 'pods' means pods.
- 'pods/log' means the log subresource of pods.
- '*' means all resources, but not subresources.
- 'pods/*' means all subresources of pods.
- '*/scale' means all scale subresources.
- '*/*' means all resources and their subresources.
-
- If wildcard is present, the validation rule will ensure resources do not
- overlap with each other.
-
- Depending on the enclosing object, subresources might not be allowed.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- scope:
- description: |-
- scope specifies the scope of this rule.
- Valid values are "Cluster", "Namespaced", and "*"
- "Cluster" means that only cluster-scoped resources will match this rule.
- Namespace API objects are cluster-scoped.
- "Namespaced" means that only namespaced resources will match this rule.
- "*" means that there are no scope restrictions.
- Subresources match the scope of their parent resource.
- Default is "*".
- type: string
- type: object
- type: array
- settings:
- description: |-
- Settings is a free-form object that contains the policy configuration
- values.
- x-kubernetes-embedded-resource: false
- nullable: true
- type: object
- x-kubernetes-preserve-unknown-fields: true
- sideEffects:
- description: |-
- SideEffects states whether this webhook has side effects.
- Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
- Webhooks with side effects MUST implement a reconciliation system, since a request may be
- rejected by a future step in the admission change and the side effects therefore need to be undone.
- Requests with the dryRun attribute will be auto-rejected if they match a webhook with
- sideEffects == Unknown or Some.
- type: string
- timeoutSeconds:
- default: 10
- description: |-
- TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
- the webhook call will be ignored or the API call will fail based on the
- failure policy.
- The timeout value must be between 1 and 30 seconds.
- Default to 10 seconds.
- format: int32
- type: integer
- required:
- - module
- - mutating
- - rules
- type: object
- status:
- description: PolicyStatus defines the observed state of ClusterAdmissionPolicy
- and AdmissionPolicy.
- properties:
- conditions:
- description: |-
- Conditions represent the observed conditions of the
- ClusterAdmissionPolicy resource. Known .status.conditions.types
- are: "PolicyServerSecretReconciled",
- "PolicyServerConfigMapReconciled",
- "PolicyServerDeploymentReconciled",
- "PolicyServerServiceReconciled" and
- "AdmissionPolicyActive"
- items:
- description: Condition contains details for one aspect of the current
- state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- mode:
- description: |-
- PolicyMode represents the observed policy mode of this policy in
- the associated PolicyServer configuration
- enum:
- - protect
- - monitor
- - unknown
- type: string
- policyStatus:
- description: PolicyStatus represents the observed status of the policy
- enum:
- - unscheduled
- - scheduled
- - pending
- - active
- type: string
- required:
- - policyStatus
- type: object
- type: object
- served: true
- storage: false
- subresources:
- status: {}
diff --git a/config/crd/bases/policies.kubewarden.io_clusteradmissionpolicygroups.yaml b/config/crd/bases/policies.kubewarden.io_clusteradmissionpolicygroups.yaml
deleted file mode 100644
index 6f6f9526b..000000000
--- a/config/crd/bases/policies.kubewarden.io_clusteradmissionpolicygroups.yaml
+++ /dev/null
@@ -1,621 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
- name: clusteradmissionpolicygroups.policies.kubewarden.io
-spec:
- group: policies.kubewarden.io
- names:
- kind: ClusterAdmissionPolicyGroup
- listKind: ClusterAdmissionPolicyGroupList
- plural: clusteradmissionpolicygroups
- shortNames:
- - capg
- singular: clusteradmissionpolicygroup
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Bound to Policy Server
- jsonPath: .spec.policyServer
- name: Policy Server
- type: string
- - description: Whether the policy is mutating
- jsonPath: .spec.mutating
- name: Mutating
- type: boolean
- - description: Whether the policy is used in audit checks
- jsonPath: .spec.backgroundAudit
- name: BackgroundAudit
- type: boolean
- - description: Policy deployment mode
- jsonPath: .spec.mode
- name: Mode
- type: string
- - description: Policy deployment mode observed on the assigned Policy Server
- jsonPath: .status.mode
- name: Observed mode
- type: string
- - description: Status of the policy
- jsonPath: .status.policyStatus
- name: Status
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity']
- name: Severity
- priority: 1
- type: string
- - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category']
- name: Category
- priority: 1
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: ClusterAdmissionPolicyGroup is the Schema for the clusteradmissionpolicies
- API
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: ClusterAdmissionPolicyGroupSpec defines the desired state
- of ClusterAdmissionPolicyGroup.
- properties:
- allowInsideAdmissionControllerNamespace:
- description: |-
- AllowInsideAdmissionControllerNamespace controls whether the policy should also be
- evaluated for resources in the namespace where Kubewarden is deployed.
- By default (false), an exclusion rule is added to the webhook so that the
- Kubewarden namespace is never targeted, protecting against an accidental
- lockout. Set this to true only if you deliberately want the policy to apply
- inside the Kubewarden namespace.
- Warning: setting this to true may cause a deadlock if the policy prevents
- Kubewarden components from starting.
- type: boolean
- backgroundAudit:
- default: true
- description: |-
- BackgroundAudit indicates whether a policy should be used or skipped when
- performing audit checks. If false, the policy cannot produce meaningful
- evaluation results during audit checks and will be skipped.
- The default is "true".
- type: boolean
- expression:
- description: |-
- Expression is the evaluation expression to accept or reject the
- admission request under evaluation. This field uses CEL as the
- expression language for the policy groups. Each policy in the group
- will be represented as a function call in the expression with the
- same name as the policy defined in the group. The expression field
- should be a valid CEL expression that evaluates to a boolean value.
- If the expression evaluates to true, the group policy will be
- considered as accepted, otherwise, it will be considered as
- rejected. This expression allows grouping policies calls and perform
- logical operations on the results of the policies. See Kubewarden
- documentation to learn about all the features available.
- type: string
- failurePolicy:
- description: |-
- FailurePolicy defines how unrecognized errors and timeout errors from the
- policy are handled. Allowed values are "Ignore" or "Fail".
- * "Ignore" means that an error calling the webhook is ignored and the API
- request is allowed to continue.
- * "Fail" means that an error calling the webhook causes the admission to
- fail and the API request to be rejected.
- The default behaviour is "Fail"
- type: string
- matchConditions:
- description: |-
- MatchConditions are a list of conditions that must be met for a request to be
- validated. Match conditions filter requests that have already been matched by
- the rules, namespaceSelector, and objectSelector. An empty list of
- matchConditions matches all requests. There are a maximum of 64 match
- conditions allowed. If a parameter object is provided, it can be accessed via
- the `params` handle in the same manner as validation expressions. The exact
- matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
- the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
- is evaluated. 3. If any matchCondition evaluates to an error (but none are
- FALSE): - If failurePolicy=Fail, reject the request - If
- failurePolicy=Ignore, the policy is skipped.
- Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
- items:
- description: MatchCondition represents a condition which must by
- fulfilled for a request to be sent to a webhook.
- properties:
- expression:
- description: |-
- Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
- CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
- 'object' - The object from the incoming request. The value is null for DELETE requests.
- 'oldObject' - The existing object. The value is null for CREATE requests.
- 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
- See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
- request resource.
- Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
- Required.
- type: string
- name:
- description: |-
- Name is an identifier for this match condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes. A good name should be descriptive of
- the associated expression.
- Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
- '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
- optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
- Required.
- type: string
- required:
- - expression
- - name
- type: object
- type: array
- matchPolicy:
- description: |-
- matchPolicy defines how the "rules" list is used to match incoming requests.
- Allowed values are "Exact" or "Equivalent".
-
- -
- Exact: match a request only if it exactly matches a specified rule.
- For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
- but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
- a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
-
- -
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
- For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
- and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
- a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
-
-
- Defaults to "Equivalent"
- type: string
- message:
- description: |-
- Message is used to specify the message that will be returned when
- the policy group is rejected. The specific policy results will be
- returned in the warning field of the response.
- type: string
- mode:
- default: protect
- description: |-
- Mode defines the execution mode of this policy. Can be set to
- either "protect" or "monitor". If it's empty, it is defaulted to
- "protect".
- Transitioning this setting from "monitor" to "protect" is
- allowed, but is disallowed to transition from "protect" to
- "monitor". To perform this transition, the policy should be
- recreated in "monitor" mode instead.
- enum:
- - protect
- - monitor
- type: string
- namespaceSelector:
- description: |-
- NamespaceSelector decides whether to run the webhook on an object based
- on whether the namespace for that object matches the selector. If the
- object itself is a namespace, the matching is performed on
- object.metadata.labels. If the object is another cluster scoped resource,
- it never skips the webhook.
-
- For example, to run the webhook on any objects whose namespace is not
- associated with "runlevel" of "0" or "1"; you will set the selector as
- follows:
-
- "namespaceSelector": \{
- "matchExpressions": [
- \{
- "key": "runlevel",
- "operator": "NotIn",
- "values": [
- "0",
- "1"
- ]
- \}
- ]
- \}
-
- If instead you want to only run the webhook on any objects whose
- namespace is associated with the "environment" of "prod" or "staging";
- you will set the selector as follows:
-
- "namespaceSelector": \{
- "matchExpressions": [
- \{
- "key": "environment",
- "operator": "In",
- "values": [
- "prod",
- "staging"
- ]
- \}
- ]
- \}
-
- See
- https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
- for more examples of label selectors.
-
- Default to the empty LabelSelector, which matches everything.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- objectSelector:
- description: |-
- ObjectSelector decides whether to run the webhook based on if the
- object has matching labels. objectSelector is evaluated against both
- the oldObject and newObject that would be sent to the webhook, and
- is considered to match if either object matches the selector. A null
- object (oldObject in the case of create, or newObject in the case of
- delete) or an object that cannot have labels (like a
- DeploymentRollback or a PodProxyOptions object) is not considered to
- match.
- Use the object selector only if the webhook is opt-in, because end
- users may skip the admission webhook by setting the labels.
- Default to the empty LabelSelector, which matches everything.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- policies:
- additionalProperties:
- properties:
- contextAwareResources:
- description: |-
- List of Kubernetes resources the policy is allowed to access at evaluation time.
- Access to these resources is done using the `ServiceAccount` of the PolicyServer
- the policy is assigned to.
- items:
- description: ContextAwareResource identifies a Kubernetes
- resource.
- properties:
- apiVersion:
- description: apiVersion of the resource (v1 for core group,
- groupName/groupVersions for other).
- type: string
- kind:
- description: Singular PascalCase name of the resource
- type: string
- required:
- - apiVersion
- - kind
- type: object
- type: array
- module:
- description: |-
- Module is the location of the WASM module to be loaded. Can be a
- local file (file://), a remote file served by an HTTP server
- (http://, https://), or an artifact served by an OCI-compatible
- registry (registry://).
- If prefix is missing, it will default to registry:// and use that
- internally.
- type: string
- settings:
- description: |-
- Settings is a free-form object that contains the policy configuration
- values.
- x-kubernetes-embedded-resource: false
- nullable: true
- type: object
- x-kubernetes-preserve-unknown-fields: true
- timeoutEvalSeconds:
- description: |-
- TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
- the timeout passes, the policy evaluation call will fail based on the
- failure policy.
- The timeout value must be between 2 and 30 seconds.
- format: int32
- maximum: 30
- minimum: 2
- type: integer
- required:
- - module
- type: object
- description: |-
- Policies is a list of policies that are part of the group that will
- be available to be called in the evaluation expression field.
- Each policy in the group should be a Kubewarden policy.
- type: object
- policyServer:
- default: default
- description: PolicyServer identifies an existing PolicyServer resource.
- type: string
- rules:
- description: |-
- Rules describes what operations on what resources/subresources the webhook cares about.
- The webhook cares about an operation if it matches _any_ Rule.
- items:
- description: |-
- RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
- sure that all the tuple expansions are valid.
- properties:
- apiGroups:
- description: |-
- APIGroups is the API groups the resources belong to. '*' is all groups.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- apiVersions:
- description: |-
- APIVersions is the API versions the resources belong to. '*' is all versions.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- operations:
- description: |-
- Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
- for all of those operations and any future admission operations that are added.
- If '*' is present, the length of the slice must be one.
- Required.
- items:
- description: OperationType specifies an operation for a request.
- type: string
- type: array
- x-kubernetes-list-type: atomic
- resources:
- description: |-
- Resources is a list of resources this rule applies to.
-
- For example:
- 'pods' means pods.
- 'pods/log' means the log subresource of pods.
- '*' means all resources, but not subresources.
- 'pods/*' means all subresources of pods.
- '*/scale' means all scale subresources.
- '*/*' means all resources and their subresources.
-
- If wildcard is present, the validation rule will ensure resources do not
- overlap with each other.
-
- Depending on the enclosing object, subresources might not be allowed.
- Required.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- scope:
- description: |-
- scope specifies the scope of this rule.
- Valid values are "Cluster", "Namespaced", and "*"
- "Cluster" means that only cluster-scoped resources will match this rule.
- Namespace API objects are cluster-scoped.
- "Namespaced" means that only namespaced resources will match this rule.
- "*" means that there are no scope restrictions.
- Subresources match the scope of their parent resource.
- Default is "*".
- type: string
- type: object
- type: array
- sideEffects:
- description: |-
- SideEffects states whether this webhook has side effects.
- Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
- Webhooks with side effects MUST implement a reconciliation system, since a request may be
- rejected by a future step in the admission change and the side effects therefore need to be undone.
- Requests with the dryRun attribute will be auto-rejected if they match a webhook with
- sideEffects == Unknown or Some.
- type: string
- timeoutSeconds:
- default: 10
- description: |-
- TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
- the webhook call will be ignored or the API call will fail based on the
- failure policy.
- The timeout value must be between 2 and 30 seconds.
- Default to 10 seconds.
- format: int32
- maximum: 30
- minimum: 2
- type: integer
- required:
- - expression
- - message
- - policies
- - rules
- type: object
- status:
- description: PolicyStatus defines the observed state of ClusterAdmissionPolicy
- and AdmissionPolicy.
- properties:
- conditions:
- description: |-
- Conditions represent the observed conditions of the
- ClusterAdmissionPolicy resource. Known .status.conditions.types
- are: "PolicyServerSecretReconciled",
- "PolicyServerConfigMapReconciled",
- "PolicyServerDeploymentReconciled",
- "PolicyServerServiceReconciled" and
- "AdmissionPolicyActive"
- items:
- description: Condition contains details for one aspect of the current
- state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- mode:
- description: |-
- PolicyMode represents the observed policy mode of this policy in
- the associated PolicyServer configuration
- enum:
- - protect
- - monitor
- - unknown
- type: string
- policyStatus:
- description: PolicyStatus represents the observed status of the policy
- enum:
- - unscheduled
- - scheduled
- - pending
- - active
- type: string
- required:
- - policyStatus
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/config/crd/bases/policies.kubewarden.io_policyservers.yaml b/config/crd/bases/policies.kubewarden.io_policyservers.yaml
deleted file mode 100644
index d62c51179..000000000
--- a/config/crd/bases/policies.kubewarden.io_policyservers.yaml
+++ /dev/null
@@ -1,2132 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
- name: policyservers.policies.kubewarden.io
-spec:
- group: policies.kubewarden.io
- names:
- kind: PolicyServer
- listKind: PolicyServerList
- plural: policyservers
- shortNames:
- - ps
- singular: policyserver
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Policy Server replicas
- jsonPath: .spec.replicas
- name: Replicas
- type: string
- - description: Policy Server image
- jsonPath: .spec.image
- name: Image
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: PolicyServer is the Schema for the policyservers API.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: PolicyServerSpec defines the desired state of PolicyServer.
- properties:
- affinity:
- description: Affinity rules for the associated Policy Server pods.
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the
- pod.
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: |-
- The scheduler will prefer to schedule pods to nodes that satisfy
- the affinity expressions specified by this field, but it may choose
- a node that violates one or more of the expressions. The node that is
- most preferred is the one with the greatest sum of weights, i.e.
- for each node that meets all of the scheduling requirements (resource
- request, requiredDuringScheduling affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node matches the corresponding matchExpressions; the
- node(s) with the highest sum are the most preferred.
- items:
- description: |-
- An empty preferred scheduling term matches all objects with implicit weight 0
- (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- properties:
- preference:
- description: A node selector term, associated with the
- corresponding weight.
- properties:
- matchExpressions:
- description: A list of node selector requirements
- by node's labels.
- items:
- description: |-
- A node selector requirement is a selector that contains values, a key, and an operator
- that relates the key and values.
- properties:
- key:
- description: The label key that the selector
- applies to.
- type: string
- operator:
- description: |-
- Represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: |-
- An array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. If the operator is Gt or Lt, the values
- array must have a single element, which will be interpreted as an integer.
- This array is replaced during a strategic merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchFields:
- description: A list of node selector requirements
- by node's fields.
- items:
- description: |-
- A node selector requirement is a selector that contains values, a key, and an operator
- that relates the key and values.
- properties:
- key:
- description: The label key that the selector
- applies to.
- type: string
- operator:
- description: |-
- Represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: |-
- An array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. If the operator is Gt or Lt, the values
- array must have a single element, which will be interpreted as an integer.
- This array is replaced during a strategic merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- x-kubernetes-map-type: atomic
- weight:
- description: Weight associated with matching the corresponding
- nodeSelectorTerm, in the range 1-100.
- format: int32
- type: integer
- required:
- - preference
- - weight
- type: object
- type: array
- x-kubernetes-list-type: atomic
- requiredDuringSchedulingIgnoredDuringExecution:
- description: |-
- If the affinity requirements specified by this field are not met at
- scheduling time, the pod will not be scheduled onto the node.
- If the affinity requirements specified by this field cease to be met
- at some point during pod execution (e.g. due to an update), the system
- may or may not try to eventually evict the pod from its node.
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms.
- The terms are ORed.
- items:
- description: |-
- A null or empty node selector term matches no objects. The requirements of
- them are ANDed.
- The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- properties:
- matchExpressions:
- description: A list of node selector requirements
- by node's labels.
- items:
- description: |-
- A node selector requirement is a selector that contains values, a key, and an operator
- that relates the key and values.
- properties:
- key:
- description: The label key that the selector
- applies to.
- type: string
- operator:
- description: |-
- Represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: |-
- An array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. If the operator is Gt or Lt, the values
- array must have a single element, which will be interpreted as an integer.
- This array is replaced during a strategic merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchFields:
- description: A list of node selector requirements
- by node's fields.
- items:
- description: |-
- A node selector requirement is a selector that contains values, a key, and an operator
- that relates the key and values.
- properties:
- key:
- description: The label key that the selector
- applies to.
- type: string
- operator:
- description: |-
- Represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: |-
- An array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. If the operator is Gt or Lt, the values
- array must have a single element, which will be interpreted as an integer.
- This array is replaced during a strategic merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- x-kubernetes-map-type: atomic
- type: array
- x-kubernetes-list-type: atomic
- required:
- - nodeSelectorTerms
- type: object
- x-kubernetes-map-type: atomic
- type: object
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate
- this pod in the same node, zone, etc. as some other pod(s)).
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: |-
- The scheduler will prefer to schedule pods to nodes that satisfy
- the affinity expressions specified by this field, but it may choose
- a node that violates one or more of the expressions. The node that is
- most preferred is the one with the greatest sum of weights, i.e.
- for each node that meets all of the scheduling requirements (resource
- request, requiredDuringScheduling affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
- node(s) with the highest sum are the most preferred.
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm
- fields are added per-node to find the most preferred node(s)
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated
- with the corresponding weight.
- properties:
- labelSelector:
- description: |-
- A label query over a set of resources, in this case pods.
- If it's null, this PodAffinityTerm matches with no Pods.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are
- ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that
- the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: |-
- MatchLabelKeys is a set of pod label keys to select which pods will
- be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
- to select the group of existing pods which pods will be taken into consideration
- for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
- pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both matchLabelKeys and labelSelector.
- Also, matchLabelKeys cannot be set when labelSelector isn't set.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: |-
- MismatchLabelKeys is a set of pod label keys to select which pods will
- be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
- to select the group of existing pods which pods will be taken into consideration
- for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
- pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
- Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: |-
- A label query over the set of namespaces that the term applies to.
- The term is applied to the union of the namespaces selected by this field
- and the ones listed in the namespaces field.
- null selector and null or empty namespaces list means "this pod's namespace".
- An empty selector ({}) matches all namespaces.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are
- ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that
- the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- namespaces specifies a static list of namespace names that the term applies to.
- The term is applied to the union of the namespaces listed in this field
- and the ones selected by namespaceSelector.
- null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- topologyKey:
- description: |-
- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
- the labelSelector in the specified namespaces, where co-located is defined as running on a node
- whose value of the label with key topologyKey matches that of any node on which any of the
- selected pods is running.
- Empty topologyKey is not allowed.
- type: string
- required:
- - topologyKey
- type: object
- weight:
- description: |-
- weight associated with matching the corresponding podAffinityTerm,
- in the range 1-100.
- format: int32
- type: integer
- required:
- - podAffinityTerm
- - weight
- type: object
- type: array
- x-kubernetes-list-type: atomic
- requiredDuringSchedulingIgnoredDuringExecution:
- description: |-
- If the affinity requirements specified by this field are not met at
- scheduling time, the pod will not be scheduled onto the node.
- If the affinity requirements specified by this field cease to be met
- at some point during pod execution (e.g. due to a pod label update), the
- system may or may not try to eventually evict the pod from its node.
- When there are multiple elements, the lists of nodes corresponding to each
- podAffinityTerm are intersected, i.e. all terms must be satisfied.
- items:
- description: |-
- Defines a set of pods (namely those matching the labelSelector
- relative to the given namespace(s)) that this pod should be
- co-located (affinity) or not co-located (anti-affinity) with,
- where co-located is defined as running on a node whose value of
- the label with key matches that of any node on which
- a pod of the set of pods is running
- properties:
- labelSelector:
- description: |-
- A label query over a set of resources, in this case pods.
- If it's null, this PodAffinityTerm matches with no Pods.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: |-
- MatchLabelKeys is a set of pod label keys to select which pods will
- be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
- to select the group of existing pods which pods will be taken into consideration
- for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
- pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both matchLabelKeys and labelSelector.
- Also, matchLabelKeys cannot be set when labelSelector isn't set.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: |-
- MismatchLabelKeys is a set of pod label keys to select which pods will
- be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
- to select the group of existing pods which pods will be taken into consideration
- for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
- pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
- Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: |-
- A label query over the set of namespaces that the term applies to.
- The term is applied to the union of the namespaces selected by this field
- and the ones listed in the namespaces field.
- null selector and null or empty namespaces list means "this pod's namespace".
- An empty selector ({}) matches all namespaces.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- namespaces specifies a static list of namespace names that the term applies to.
- The term is applied to the union of the namespaces listed in this field
- and the ones selected by namespaceSelector.
- null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- topologyKey:
- description: |-
- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
- the labelSelector in the specified namespaces, where co-located is defined as running on a node
- whose value of the label with key topologyKey matches that of any node on which any of the
- selected pods is running.
- Empty topologyKey is not allowed.
- type: string
- required:
- - topologyKey
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g.
- avoid putting this pod in the same node, zone, etc. as some
- other pod(s)).
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: |-
- The scheduler will prefer to schedule pods to nodes that satisfy
- the anti-affinity expressions specified by this field, but it may choose
- a node that violates one or more of the expressions. The node that is
- most preferred is the one with the greatest sum of weights, i.e.
- for each node that meets all of the scheduling requirements (resource
- request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and subtracting
- "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
- node(s) with the highest sum are the most preferred.
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm
- fields are added per-node to find the most preferred node(s)
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated
- with the corresponding weight.
- properties:
- labelSelector:
- description: |-
- A label query over a set of resources, in this case pods.
- If it's null, this PodAffinityTerm matches with no Pods.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are
- ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that
- the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: |-
- MatchLabelKeys is a set of pod label keys to select which pods will
- be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
- to select the group of existing pods which pods will be taken into consideration
- for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
- pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both matchLabelKeys and labelSelector.
- Also, matchLabelKeys cannot be set when labelSelector isn't set.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: |-
- MismatchLabelKeys is a set of pod label keys to select which pods will
- be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
- to select the group of existing pods which pods will be taken into consideration
- for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
- pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
- Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: |-
- A label query over the set of namespaces that the term applies to.
- The term is applied to the union of the namespaces selected by this field
- and the ones listed in the namespaces field.
- null selector and null or empty namespaces list means "this pod's namespace".
- An empty selector ({}) matches all namespaces.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are
- ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that
- the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- namespaces specifies a static list of namespace names that the term applies to.
- The term is applied to the union of the namespaces listed in this field
- and the ones selected by namespaceSelector.
- null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- topologyKey:
- description: |-
- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
- the labelSelector in the specified namespaces, where co-located is defined as running on a node
- whose value of the label with key topologyKey matches that of any node on which any of the
- selected pods is running.
- Empty topologyKey is not allowed.
- type: string
- required:
- - topologyKey
- type: object
- weight:
- description: |-
- weight associated with matching the corresponding podAffinityTerm,
- in the range 1-100.
- format: int32
- type: integer
- required:
- - podAffinityTerm
- - weight
- type: object
- type: array
- x-kubernetes-list-type: atomic
- requiredDuringSchedulingIgnoredDuringExecution:
- description: |-
- If the anti-affinity requirements specified by this field are not met at
- scheduling time, the pod will not be scheduled onto the node.
- If the anti-affinity requirements specified by this field cease to be met
- at some point during pod execution (e.g. due to a pod label update), the
- system may or may not try to eventually evict the pod from its node.
- When there are multiple elements, the lists of nodes corresponding to each
- podAffinityTerm are intersected, i.e. all terms must be satisfied.
- items:
- description: |-
- Defines a set of pods (namely those matching the labelSelector
- relative to the given namespace(s)) that this pod should be
- co-located (affinity) or not co-located (anti-affinity) with,
- where co-located is defined as running on a node whose value of
- the label with key matches that of any node on which
- a pod of the set of pods is running
- properties:
- labelSelector:
- description: |-
- A label query over a set of resources, in this case pods.
- If it's null, this PodAffinityTerm matches with no Pods.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: |-
- MatchLabelKeys is a set of pod label keys to select which pods will
- be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
- to select the group of existing pods which pods will be taken into consideration
- for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
- pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both matchLabelKeys and labelSelector.
- Also, matchLabelKeys cannot be set when labelSelector isn't set.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: |-
- MismatchLabelKeys is a set of pod label keys to select which pods will
- be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
- to select the group of existing pods which pods will be taken into consideration
- for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
- pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
- Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: |-
- A label query over the set of namespaces that the term applies to.
- The term is applied to the union of the namespaces selected by this field
- and the ones listed in the namespaces field.
- null selector and null or empty namespaces list means "this pod's namespace".
- An empty selector ({}) matches all namespaces.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- namespaces specifies a static list of namespace names that the term applies to.
- The term is applied to the union of the namespaces listed in this field
- and the ones selected by namespaceSelector.
- null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- topologyKey:
- description: |-
- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
- the labelSelector in the specified namespaces, where co-located is defined as running on a node
- whose value of the label with key topologyKey matches that of any node on which any of the
- selected pods is running.
- Empty topologyKey is not allowed.
- type: string
- required:
- - topologyKey
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- type: object
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is an unstructured key value map stored with a resource that may be
- set by external tools to store and retrieve arbitrary metadata. They are not
- queryable and should be preserved when modifying objects.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- type: object
- env:
- description: List of environment variables to set in the container.
- items:
- description: EnvVar represents an environment variable present in
- a Container.
- properties:
- name:
- description: |-
- Name of the environment variable.
- May consist of any printable ASCII characters except '='.
- type: string
- value:
- description: |-
- Variable references $(VAR_NAME) are expanded
- using the previously defined environment variables in the container and
- any service environment variables. If a variable cannot be resolved,
- the reference in the input string will be unchanged. Double $$ are reduced
- to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
- "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
- Escaped references will never be expanded, regardless of whether the variable
- exists or not.
- Defaults to "".
- type: string
- valueFrom:
- description: Source for the environment variable's value. Cannot
- be used if value is not empty.
- properties:
- configMapKeyRef:
- description: Selects a key of a ConfigMap.
- properties:
- key:
- description: The key to select.
- type: string
- name:
- default: ""
- description: |-
- Name of the referent.
- This field is effectively required, but due to backwards compatibility is
- allowed to be empty. Instances of this type with an empty value here are
- almost certainly wrong.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- optional:
- description: Specify whether the ConfigMap or its key
- must be defined
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- fieldRef:
- description: |-
- Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,
- spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
- properties:
- apiVersion:
- description: Version of the schema the FieldPath is
- written in terms of, defaults to "v1".
- type: string
- fieldPath:
- description: Path of the field to select in the specified
- API version.
- type: string
- required:
- - fieldPath
- type: object
- x-kubernetes-map-type: atomic
- fileKeyRef:
- description: |-
- FileKeyRef selects a key of the env file.
- Requires the EnvFiles feature gate to be enabled.
- properties:
- key:
- description: |-
- The key within the env file. An invalid key will prevent the pod from starting.
- The keys defined within a source may consist of any printable ASCII characters except '='.
- During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
- type: string
- optional:
- default: false
- description: |-
- Specify whether the file or its key must be defined. If the file or key
- does not exist, then the env var is not published.
- If optional is set to true and the specified key does not exist,
- the environment variable will not be set in the Pod's containers.
-
- If optional is set to false and the specified key does not exist,
- an error will be returned during Pod creation.
- type: boolean
- path:
- description: |-
- The path within the volume from which to select the file.
- Must be relative and may not contain the '..' path or start with '..'.
- type: string
- volumeName:
- description: The name of the volume mount containing
- the env file.
- type: string
- required:
- - key
- - path
- - volumeName
- type: object
- x-kubernetes-map-type: atomic
- resourceFieldRef:
- description: |-
- Selects a resource of the container: only resources limits and requests
- (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
- properties:
- containerName:
- description: 'Container name: required for volumes,
- optional for env vars'
- type: string
- divisor:
- anyOf:
- - type: integer
- - type: string
- description: Specifies the output format of the exposed
- resources, defaults to "1"
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- resource:
- description: 'Required: resource to select'
- type: string
- required:
- - resource
- type: object
- x-kubernetes-map-type: atomic
- secretKeyRef:
- description: Selects a key of a secret in the pod's namespace
- properties:
- key:
- description: The key of the secret to select from. Must
- be a valid secret key.
- type: string
- name:
- default: ""
- description: |-
- Name of the referent.
- This field is effectively required, but due to backwards compatibility is
- allowed to be empty. Instances of this type with an empty value here are
- almost certainly wrong.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- optional:
- description: Specify whether the Secret or its key must
- be defined
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- type: object
- required:
- - name
- type: object
- type: array
- image:
- description: Docker image name.
- type: string
- imagePullSecret:
- description: |-
- Name of ImagePullSecret secret in the same namespace, used for pulling
- policies from repositories.
- type: string
- insecureSources:
- description: |-
- List of insecure URIs to policy repositories. The `insecureSources`
- content format corresponds with the contents of the `insecure_sources`
- key in `sources.yaml`. Reference for `sources.yaml` is found in the
- Kubewarden documentation in the reference section.
- items:
- type: string
- type: array
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: Limits describes the maximum amount of compute resources
- allowed.
- type: object
- maxUnavailable:
- anyOf:
- - type: integer
- - type: string
- description: |-
- Number of policy server replicas that can be unavailable after the
- eviction. The value can be an absolute number or a percentage. Only one of
- MinAvailable or Max MaxUnavailable can be set.
- x-kubernetes-int-or-string: true
- minAvailable:
- anyOf:
- - type: integer
- - type: string
- description: |-
- Number of policy server replicas that must be still available after the
- eviction. The value can be an absolute number or a percentage. Only one of
- MinAvailable or Max MaxUnavailable can be set.
- x-kubernetes-int-or-string: true
- namespacedPoliciesCapabilities:
- description: |-
- NamespacedPoliciesCapabilities lists host capability API calls allowed
- for namespaced policies running on this PolicyServer. When not set,
- no host capabilities are granted to namespaced policies.
- Supported wildcard patterns:
- - "*": allow all host capabilities
- - "category/*": allow all capabilities in a category (e.g. "oci/*")
- - "category/version/*": allow all capabilities of a specific version (e.g. "oci/v1/*")
- - Specific capability paths (e.g. "oci/v1/verify", "net/v1/dns_lookup_host")
- items:
- type: string
- type: array
- priorityClassName:
- description: |-
- PriorityClassName is the name of the PriorityClass to be used for the
- policy server pods. Useful to schedule policy server pods with higher
- priority to ensure their availability over other cluster workload
- resources.
- Note: If the referenced PriorityClass is deleted, existing pods
- remain unchanged, but new pods that reference it cannot be created.
- type: string
- replicas:
- description: Replicas is the number of desired replicas.
- format: int32
- type: integer
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: |-
- Requests describes the minimum amount of compute resources required.
- If Request is omitted for, it defaults to Limits if that is explicitly specified,
- otherwise to an implementation-defined value
- type: object
- securityContexts:
- description: |-
- Security configuration to be used in the Policy Server workload.
- The field allows different configurations for the pod and containers.
- If set for the containers, this configuration will not be used in
- containers added by other controllers (e.g. telemetry sidecars)
- properties:
- container:
- description: securityContext definition to be used in the policy
- server container
- properties:
- allowPrivilegeEscalation:
- description: |-
- AllowPrivilegeEscalation controls whether a process can gain more
- privileges than its parent process. This bool directly controls if
- the no_new_privs flag will be set on the container process.
- AllowPrivilegeEscalation is true always when the container is:
- 1) run as Privileged
- 2) has CAP_SYS_ADMIN
- Note that this field cannot be set when spec.os.name is windows.
- type: boolean
- appArmorProfile:
- description: |-
- appArmorProfile is the AppArmor options to use by this container. If set, this profile
- overrides the pod's appArmorProfile.
- Note that this field cannot be set when spec.os.name is windows.
- properties:
- localhostProfile:
- description: |-
- localhostProfile indicates a profile loaded on the node that should be used.
- The profile must be preconfigured on the node to work.
- Must match the loaded name of the profile.
- Must be set if and only if type is "Localhost".
- type: string
- type:
- description: |-
- type indicates which kind of AppArmor profile will be applied.
- Valid options are:
- Localhost - a profile pre-loaded on the node.
- RuntimeDefault - the container runtime's default profile.
- Unconfined - no AppArmor enforcement.
- type: string
- required:
- - type
- type: object
- capabilities:
- description: |-
- The capabilities to add/drop when running containers.
- Defaults to the default set of capabilities granted by the container runtime.
- Note that this field cannot be set when spec.os.name is windows.
- properties:
- add:
- description: Added capabilities
- items:
- description: Capability represent POSIX capabilities
- type
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- description: Removed capabilities
- items:
- description: Capability represent POSIX capabilities
- type
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- description: |-
- Run container in privileged mode.
- Processes in privileged containers are essentially equivalent to root on the host.
- Defaults to false.
- Note that this field cannot be set when spec.os.name is windows.
- type: boolean
- procMount:
- description: |-
- procMount denotes the type of proc mount to use for the containers.
- The default value is Default which uses the container runtime defaults for
- readonly paths and masked paths.
- This requires the ProcMountType feature flag to be enabled.
- Note that this field cannot be set when spec.os.name is windows.
- type: string
- readOnlyRootFilesystem:
- description: |-
- Whether this container has a read-only root filesystem.
- Default is false.
- Note that this field cannot be set when spec.os.name is windows.
- type: boolean
- runAsGroup:
- description: |-
- The GID to run the entrypoint of the container process.
- Uses runtime default if unset.
- May also be set in PodSecurityContext. If set in both SecurityContext and
- PodSecurityContext, the value specified in SecurityContext takes precedence.
- Note that this field cannot be set when spec.os.name is windows.
- format: int64
- type: integer
- runAsNonRoot:
- description: |-
- Indicates that the container must run as a non-root user.
- If true, the Kubelet will validate the image at runtime to ensure that it
- does not run as UID 0 (root) and fail to start the container if it does.
- If unset or false, no such validation will be performed.
- May also be set in PodSecurityContext. If set in both SecurityContext and
- PodSecurityContext, the value specified in SecurityContext takes precedence.
- type: boolean
- runAsUser:
- description: |-
- The UID to run the entrypoint of the container process.
- Defaults to user specified in image metadata if unspecified.
- May also be set in PodSecurityContext. If set in both SecurityContext and
- PodSecurityContext, the value specified in SecurityContext takes precedence.
- Note that this field cannot be set when spec.os.name is windows.
- format: int64
- type: integer
- seLinuxOptions:
- description: |-
- The SELinux context to be applied to the container.
- If unspecified, the container runtime will allocate a random SELinux context for each
- container. May also be set in PodSecurityContext. If set in both SecurityContext and
- PodSecurityContext, the value specified in SecurityContext takes precedence.
- Note that this field cannot be set when spec.os.name is windows.
- properties:
- level:
- description: Level is SELinux level label that applies
- to the container.
- type: string
- role:
- description: Role is a SELinux role label that applies
- to the container.
- type: string
- type:
- description: Type is a SELinux type label that applies
- to the container.
- type: string
- user:
- description: User is a SELinux user label that applies
- to the container.
- type: string
- type: object
- seccompProfile:
- description: |-
- The seccomp options to use by this container. If seccomp options are
- provided at both the pod & container level, the container options
- override the pod options.
- Note that this field cannot be set when spec.os.name is windows.
- properties:
- localhostProfile:
- description: |-
- localhostProfile indicates a profile defined in a file on the node should be used.
- The profile must be preconfigured on the node to work.
- Must be a descending path, relative to the kubelet's configured seccomp profile location.
- Must be set if type is "Localhost". Must NOT be set for any other type.
- type: string
- type:
- description: |-
- type indicates which kind of seccomp profile will be applied.
- Valid options are:
-
- Localhost - a profile defined in a file on the node should be used.
- RuntimeDefault - the container runtime default profile should be used.
- Unconfined - no profile should be applied.
- type: string
- required:
- - type
- type: object
- windowsOptions:
- description: |-
- The Windows specific settings applied to all containers.
- If unspecified, the options from the PodSecurityContext will be used.
- If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
- Note that this field cannot be set when spec.os.name is linux.
- properties:
- gmsaCredentialSpec:
- description: |-
- GMSACredentialSpec is where the GMSA admission webhook
- (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
- GMSA credential spec named by the GMSACredentialSpecName field.
- type: string
- gmsaCredentialSpecName:
- description: GMSACredentialSpecName is the name of the
- GMSA credential spec to use.
- type: string
- hostProcess:
- description: |-
- HostProcess determines if a container should be run as a 'Host Process' container.
- All of a Pod's containers must have the same effective HostProcess value
- (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
- In addition, if HostProcess is true then HostNetwork must also be set to true.
- type: boolean
- runAsUserName:
- description: |-
- The UserName in Windows to run the entrypoint of the container process.
- Defaults to the user specified in image metadata if unspecified.
- May also be set in PodSecurityContext. If set in both SecurityContext and
- PodSecurityContext, the value specified in SecurityContext takes precedence.
- type: string
- type: object
- type: object
- pod:
- description: podSecurityContext definition to be used in the policy
- server Pod
- properties:
- appArmorProfile:
- description: |-
- appArmorProfile is the AppArmor options to use by the containers in this pod.
- Note that this field cannot be set when spec.os.name is windows.
- properties:
- localhostProfile:
- description: |-
- localhostProfile indicates a profile loaded on the node that should be used.
- The profile must be preconfigured on the node to work.
- Must match the loaded name of the profile.
- Must be set if and only if type is "Localhost".
- type: string
- type:
- description: |-
- type indicates which kind of AppArmor profile will be applied.
- Valid options are:
- Localhost - a profile pre-loaded on the node.
- RuntimeDefault - the container runtime's default profile.
- Unconfined - no AppArmor enforcement.
- type: string
- required:
- - type
- type: object
- fsGroup:
- description: |-
- A special supplemental group that applies to all containers in a pod.
- Some volume types allow the Kubelet to change the ownership of that volume
- to be owned by the pod:
-
- 1. The owning GID will be the FSGroup
- 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
- 3. The permission bits are OR'd with rw-rw----
-
- If unset, the Kubelet will not modify the ownership and permissions of any volume.
- Note that this field cannot be set when spec.os.name is windows.
- format: int64
- type: integer
- fsGroupChangePolicy:
- description: |-
- fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
- before being exposed inside Pod. This field will only apply to
- volume types which support fsGroup based ownership(and permissions).
- It will have no effect on ephemeral volume types such as: secret, configmaps
- and emptydir.
- Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
- Note that this field cannot be set when spec.os.name is windows.
- type: string
- runAsGroup:
- description: |-
- The GID to run the entrypoint of the container process.
- Uses runtime default if unset.
- May also be set in SecurityContext. If set in both SecurityContext and
- PodSecurityContext, the value specified in SecurityContext takes precedence
- for that container.
- Note that this field cannot be set when spec.os.name is windows.
- format: int64
- type: integer
- runAsNonRoot:
- description: |-
- Indicates that the container must run as a non-root user.
- If true, the Kubelet will validate the image at runtime to ensure that it
- does not run as UID 0 (root) and fail to start the container if it does.
- If unset or false, no such validation will be performed.
- May also be set in SecurityContext. If set in both SecurityContext and
- PodSecurityContext, the value specified in SecurityContext takes precedence.
- type: boolean
- runAsUser:
- description: |-
- The UID to run the entrypoint of the container process.
- Defaults to user specified in image metadata if unspecified.
- May also be set in SecurityContext. If set in both SecurityContext and
- PodSecurityContext, the value specified in SecurityContext takes precedence
- for that container.
- Note that this field cannot be set when spec.os.name is windows.
- format: int64
- type: integer
- seLinuxChangePolicy:
- description: |-
- seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
- It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
- Valid values are "MountOption" and "Recursive".
-
- "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
- This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
-
- "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
- This requires all Pods that share the same volume to use the same SELinux label.
- It is not possible to share the same volume among privileged and unprivileged Pods.
- Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
- whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
- CSIDriver instance. Other volumes are always re-labelled recursively.
- "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
-
- If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
- If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
- and "Recursive" for all other volumes.
-
- This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
-
- All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
- Note that this field cannot be set when spec.os.name is windows.
- type: string
- seLinuxOptions:
- description: |-
- The SELinux context to be applied to all containers.
- If unspecified, the container runtime will allocate a random SELinux context for each
- container. May also be set in SecurityContext. If set in
- both SecurityContext and PodSecurityContext, the value specified in SecurityContext
- takes precedence for that container.
- Note that this field cannot be set when spec.os.name is windows.
- properties:
- level:
- description: Level is SELinux level label that applies
- to the container.
- type: string
- role:
- description: Role is a SELinux role label that applies
- to the container.
- type: string
- type:
- description: Type is a SELinux type label that applies
- to the container.
- type: string
- user:
- description: User is a SELinux user label that applies
- to the container.
- type: string
- type: object
- seccompProfile:
- description: |-
- The seccomp options to use by the containers in this pod.
- Note that this field cannot be set when spec.os.name is windows.
- properties:
- localhostProfile:
- description: |-
- localhostProfile indicates a profile defined in a file on the node should be used.
- The profile must be preconfigured on the node to work.
- Must be a descending path, relative to the kubelet's configured seccomp profile location.
- Must be set if type is "Localhost". Must NOT be set for any other type.
- type: string
- type:
- description: |-
- type indicates which kind of seccomp profile will be applied.
- Valid options are:
-
- Localhost - a profile defined in a file on the node should be used.
- RuntimeDefault - the container runtime default profile should be used.
- Unconfined - no profile should be applied.
- type: string
- required:
- - type
- type: object
- supplementalGroups:
- description: |-
- A list of groups applied to the first process run in each container, in
- addition to the container's primary GID and fsGroup (if specified). If
- the SupplementalGroupsPolicy feature is enabled, the
- supplementalGroupsPolicy field determines whether these are in addition
- to or instead of any group memberships defined in the container image.
- If unspecified, no additional groups are added, though group memberships
- defined in the container image may still be used, depending on the
- supplementalGroupsPolicy field.
- Note that this field cannot be set when spec.os.name is windows.
- items:
- format: int64
- type: integer
- type: array
- x-kubernetes-list-type: atomic
- supplementalGroupsPolicy:
- description: |-
- Defines how supplemental groups of the first container processes are calculated.
- Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
- (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
- and the container runtime must implement support for this feature.
- Note that this field cannot be set when spec.os.name is windows.
- type: string
- sysctls:
- description: |-
- Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
- sysctls (by the container runtime) might fail to launch.
- Note that this field cannot be set when spec.os.name is windows.
- items:
- description: Sysctl defines a kernel parameter to be set
- properties:
- name:
- description: Name of a property to set
- type: string
- value:
- description: Value of a property to set
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- windowsOptions:
- description: |-
- The Windows specific settings applied to all containers.
- If unspecified, the options within a container's SecurityContext will be used.
- If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
- Note that this field cannot be set when spec.os.name is linux.
- properties:
- gmsaCredentialSpec:
- description: |-
- GMSACredentialSpec is where the GMSA admission webhook
- (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
- GMSA credential spec named by the GMSACredentialSpecName field.
- type: string
- gmsaCredentialSpecName:
- description: GMSACredentialSpecName is the name of the
- GMSA credential spec to use.
- type: string
- hostProcess:
- description: |-
- HostProcess determines if a container should be run as a 'Host Process' container.
- All of a Pod's containers must have the same effective HostProcess value
- (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
- In addition, if HostProcess is true then HostNetwork must also be set to true.
- type: boolean
- runAsUserName:
- description: |-
- The UserName in Windows to run the entrypoint of the container process.
- Defaults to the user specified in image metadata if unspecified.
- May also be set in PodSecurityContext. If set in both SecurityContext and
- PodSecurityContext, the value specified in SecurityContext takes precedence.
- type: string
- type: object
- type: object
- type: object
- serviceAccountName:
- description: |-
- Name of the service account associated with the policy server.
- Namespace service account will be used if not specified.
- type: string
- sigstoreTrustConfig:
- description: |-
- Name of SigstoreTrustConfig configmap in the kubewarden namespace (same
- namespace as the controller deployment), containing Sigstore trust
- configuration (ClientTrustConfig JSON). The configuration must be under a
- key named sigstore-trust-config in the ConfigMap. This is used to configure
- a custom Sigstore instance instead of the default public Sigstore infrastructure.
- WARNING: This feature requires strict access control. Users with write access
- to this ConfigMap can influence policy signature verification.
- type: string
- sourceAuthorities:
- additionalProperties:
- items:
- type: string
- type: array
- description: |-
- Key value map of registry URIs endpoints to a list of their associated
- PEM encoded certificate authorities that have to be used to verify the
- certificate used by the endpoint. The `sourceAuthorities` content format
- corresponds with the contents of the `source_authorities` key in
- `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden
- documentation in the reference section.
- type: object
- tolerations:
- description: |-
- Tolerations describe the policy server pod's tolerations. It can be
- used to ensure that the policy server pod is not scheduled onto a
- node with a taint.
- items:
- description: |-
- The pod this Toleration is attached to tolerates any taint that matches
- the triple using the matching operator .
- properties:
- effect:
- description: |-
- Effect indicates the taint effect to match. Empty means match all taint effects.
- When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: |-
- Key is the taint key that the toleration applies to. Empty means match all taint keys.
- If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: |-
- Operator represents a key's relationship to the value.
- Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
- Exists is equivalent to wildcard for value, so that a pod can
- tolerate all taints of a particular category.
- Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
- type: string
- tolerationSeconds:
- description: |-
- TolerationSeconds represents the period of time the toleration (which must be
- of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
- it is not set, which means tolerate the taint forever (do not evict). Zero and
- negative values will be treated as 0 (evict immediately) by the system.
- format: int64
- type: integer
- value:
- description: |-
- Value is the taint value the toleration matches to.
- If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- type: object
- type: array
- verificationConfig:
- description: |-
- Name of VerificationConfig configmap in the kubewarden namespace (same
- namespace as the controller deployment), containing Sigstore verification
- configuration. The configuration must be under a key named
- verification-config in the Configmap.
- type: string
- required:
- - image
- - replicas
- type: object
- status:
- description: PolicyServerStatus defines the observed state of PolicyServer.
- properties:
- conditions:
- description: |-
- Conditions represent the observed conditions of the
- PolicyServer resource. Known .status.conditions.types
- are: "PolicyServerSecretReconciled",
- "PolicyServerDeploymentReconciled" and
- "PolicyServerServiceReconciled"
- items:
- description: Condition contains details for one aspect of the current
- state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- required:
- - conditions
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - description: Policy Server replicas
- jsonPath: .spec.replicas
- name: Replicas
- type: string
- - description: Policy Server image
- jsonPath: .spec.image
- name: Image
- type: string
- deprecated: true
- deprecationWarning: This version is deprecated. Please, consider using v1
- name: v1alpha2
- schema:
- openAPIV3Schema:
- description: PolicyServer is the Schema for the policyservers API.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: PolicyServerSpec defines the desired state of PolicyServer.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is an unstructured key value map stored with a resource that may be
- set by external tools to store and retrieve arbitrary metadata. They are not
- queryable and should be preserved when modifying objects.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- type: object
- env:
- description: List of environment variables to set in the container.
- items:
- description: EnvVar represents an environment variable present in
- a Container.
- properties:
- name:
- description: |-
- Name of the environment variable.
- May consist of any printable ASCII characters except '='.
- type: string
- value:
- description: |-
- Variable references $(VAR_NAME) are expanded
- using the previously defined environment variables in the container and
- any service environment variables. If a variable cannot be resolved,
- the reference in the input string will be unchanged. Double $$ are reduced
- to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
- "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
- Escaped references will never be expanded, regardless of whether the variable
- exists or not.
- Defaults to "".
- type: string
- valueFrom:
- description: Source for the environment variable's value. Cannot
- be used if value is not empty.
- properties:
- configMapKeyRef:
- description: Selects a key of a ConfigMap.
- properties:
- key:
- description: The key to select.
- type: string
- name:
- default: ""
- description: |-
- Name of the referent.
- This field is effectively required, but due to backwards compatibility is
- allowed to be empty. Instances of this type with an empty value here are
- almost certainly wrong.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- optional:
- description: Specify whether the ConfigMap or its key
- must be defined
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- fieldRef:
- description: |-
- Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,
- spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
- properties:
- apiVersion:
- description: Version of the schema the FieldPath is
- written in terms of, defaults to "v1".
- type: string
- fieldPath:
- description: Path of the field to select in the specified
- API version.
- type: string
- required:
- - fieldPath
- type: object
- x-kubernetes-map-type: atomic
- fileKeyRef:
- description: |-
- FileKeyRef selects a key of the env file.
- Requires the EnvFiles feature gate to be enabled.
- properties:
- key:
- description: |-
- The key within the env file. An invalid key will prevent the pod from starting.
- The keys defined within a source may consist of any printable ASCII characters except '='.
- During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
- type: string
- optional:
- default: false
- description: |-
- Specify whether the file or its key must be defined. If the file or key
- does not exist, then the env var is not published.
- If optional is set to true and the specified key does not exist,
- the environment variable will not be set in the Pod's containers.
-
- If optional is set to false and the specified key does not exist,
- an error will be returned during Pod creation.
- type: boolean
- path:
- description: |-
- The path within the volume from which to select the file.
- Must be relative and may not contain the '..' path or start with '..'.
- type: string
- volumeName:
- description: The name of the volume mount containing
- the env file.
- type: string
- required:
- - key
- - path
- - volumeName
- type: object
- x-kubernetes-map-type: atomic
- resourceFieldRef:
- description: |-
- Selects a resource of the container: only resources limits and requests
- (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
- properties:
- containerName:
- description: 'Container name: required for volumes,
- optional for env vars'
- type: string
- divisor:
- anyOf:
- - type: integer
- - type: string
- description: Specifies the output format of the exposed
- resources, defaults to "1"
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- resource:
- description: 'Required: resource to select'
- type: string
- required:
- - resource
- type: object
- x-kubernetes-map-type: atomic
- secretKeyRef:
- description: Selects a key of a secret in the pod's namespace
- properties:
- key:
- description: The key of the secret to select from. Must
- be a valid secret key.
- type: string
- name:
- default: ""
- description: |-
- Name of the referent.
- This field is effectively required, but due to backwards compatibility is
- allowed to be empty. Instances of this type with an empty value here are
- almost certainly wrong.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- optional:
- description: Specify whether the Secret or its key must
- be defined
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- type: object
- required:
- - name
- type: object
- type: array
- image:
- description: Docker image name.
- type: string
- imagePullSecret:
- description: |-
- Name of ImagePullSecret secret in the same namespace, used for pulling
- policies from repositories.
- type: string
- insecureSources:
- description: |-
- List of insecure URIs to policy repositories. The `insecureSources`
- content format corresponds with the contents of the `insecure_sources`
- key in `sources.yaml`. Reference for `sources.yaml` is found in the
- Kubewarden documentation in the reference section.
- items:
- type: string
- type: array
- replicas:
- description: Replicas is the number of desired replicas.
- format: int32
- type: integer
- serviceAccountName:
- description: |-
- Name of the service account associated with the policy server.
- Namespace service account will be used if not specified.
- type: string
- sourceAuthorities:
- additionalProperties:
- items:
- type: string
- type: array
- description: |-
- Key value map of registry URIs endpoints to a list of their associated
- PEM encoded certificate authorities that have to be used to verify the
- certificate used by the endpoint. The `sourceAuthorities` content format
- corresponds with the contents of the `source_authorities` key in
- `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden
- documentation in the reference section.
- type: object
- verificationConfig:
- description: |-
- Name of VerificationConfig configmap in the same namespace, containing
- Sigstore verification configuration. The configuration must be under a
- key named verification-config in the Configmap.
- type: string
- required:
- - image
- - replicas
- type: object
- status:
- description: PolicyServerStatus defines the observed state of PolicyServer.
- properties:
- conditions:
- description: |-
- Conditions represent the observed conditions of the
- PolicyServer resource. Known .status.conditions.types
- are: "PolicyServerSecretReconciled",
- "PolicyServerDeploymentReconciled" and
- "PolicyServerServiceReconciled"
- items:
- description: Condition contains details for one aspect of the current
- state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- required:
- - conditions
- type: object
- type: object
- served: true
- storage: false
- subresources:
- status: {}
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
deleted file mode 100644
index 25553f302..000000000
--- a/config/crd/kustomization.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# This kustomization.yaml is not intended to be run by itself,
-# since it depends on service name and namespace that are out of this kustomize package.
-# It should be run by config/default
-resources:
-- bases/policies.kubewarden.io_clusteradmissionpolicies.yaml
-- bases/policies.kubewarden.io_policyservers.yaml
-- bases/policies.kubewarden.io_admissionpolicies.yaml
-- bases/policies.kubewarden.io_admissionpolicygroups.yaml
-- bases/policies.kubewarden.io_clusteradmissionpolicygroups.yaml
-#+kubebuilder:scaffold:crdkustomizeresource
-
-patchesStrategicMerge:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
-# patches here are for enabling the conversion webhook for each CRD
-#- patches/webhook_in_clusteradmissionpolicies.yaml
-#- patches/webhook_in_policyservers.yaml
-#- patches/webhook_in_admissionpolicies.yaml
-#+kubebuilder:scaffold:crdkustomizewebhookpatch
-
-# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-#- patches/cainjection_in_admissionpolicies.yaml
-#- patches/cainjection_in_clusteradmissionpolicies.yaml
-#- patches/cainjection_in_policyservers.yaml
-#+kubebuilder:scaffold:crdkustomizecainjectionpatch
-
-# the following config is for teaching kustomize how to do kustomization for CRDs.
-configurations:
-- kustomizeconfig.yaml
diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml
deleted file mode 100644
index ec5c150a9..000000000
--- a/config/crd/kustomizeconfig.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-# This file is for teaching kustomize how to substitute name and namespace reference in CRD
-nameReference:
-- kind: Service
- version: v1
- fieldSpecs:
- - kind: CustomResourceDefinition
- version: v1
- group: apiextensions.k8s.io
- path: spec/conversion/webhook/clientConfig/service/name
-
-namespace:
-- kind: CustomResourceDefinition
- version: v1
- group: apiextensions.k8s.io
- path: spec/conversion/webhook/clientConfig/service/namespace
- create: false
-
-varReference:
-- path: metadata/annotations
diff --git a/config/crd/patches/cainjection_in_admissionpolicies.yaml b/config/crd/patches/cainjection_in_admissionpolicies.yaml
deleted file mode 100644
index a9032640f..000000000
--- a/config/crd/patches/cainjection_in_admissionpolicies.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-# The following patch adds a directive for certmanager to inject CA into the CRD
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
- name: admissionpolicies.policies.kubewarden.io
diff --git a/config/crd/patches/cainjection_in_clusteradmissionpolicies.yaml b/config/crd/patches/cainjection_in_clusteradmissionpolicies.yaml
deleted file mode 100644
index c15de46e6..000000000
--- a/config/crd/patches/cainjection_in_clusteradmissionpolicies.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-# The following patch adds a directive for certmanager to inject CA into the CRD
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
- name: clusteradmissionpolicies.policies.kubewarden.io
diff --git a/config/crd/patches/cainjection_in_policyservers.yaml b/config/crd/patches/cainjection_in_policyservers.yaml
deleted file mode 100644
index 17613f145..000000000
--- a/config/crd/patches/cainjection_in_policyservers.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-# The following patch adds a directive for certmanager to inject CA into the CRD
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
- name: policyservers.policies.kubewarden.io
diff --git a/config/crd/patches/webhook_in_admissionpolicies.yaml b/config/crd/patches/webhook_in_admissionpolicies.yaml
deleted file mode 100644
index 9aa650a8a..000000000
--- a/config/crd/patches/webhook_in_admissionpolicies.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# The following patch enables a conversion webhook for the CRD
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: admissionpolicies.policies.kubewarden.io
-spec:
- conversion:
- strategy: Webhook
- webhook:
- clientConfig:
- service:
- namespace: system
- name: webhook-service
- path: /convert
- conversionReviewVersions:
- - v1
diff --git a/config/crd/patches/webhook_in_clusteradmissionpolicies.yaml b/config/crd/patches/webhook_in_clusteradmissionpolicies.yaml
deleted file mode 100644
index d0a857b3f..000000000
--- a/config/crd/patches/webhook_in_clusteradmissionpolicies.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# The following patch enables a conversion webhook for the CRD
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: clusteradmissionpolicies.policies.kubewarden.io
-spec:
- conversion:
- strategy: Webhook
- webhook:
- clientConfig:
- service:
- namespace: system
- name: webhook-service
- path: /convert
- conversionReviewVersions:
- - v1
diff --git a/config/crd/patches/webhook_in_policyservers.yaml b/config/crd/patches/webhook_in_policyservers.yaml
deleted file mode 100644
index 7026c145e..000000000
--- a/config/crd/patches/webhook_in_policyservers.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# The following patch enables a conversion webhook for the CRD
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: policyservers.policies.kubewarden.io
-spec:
- conversion:
- strategy: Webhook
- webhook:
- clientConfig:
- service:
- namespace: system
- name: webhook-service
- path: /convert
- conversionReviewVersions:
- - v1
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
deleted file mode 100644
index 40e89fccb..000000000
--- a/config/default/kustomization.yaml
+++ /dev/null
@@ -1,74 +0,0 @@
-# Adds namespace to all resources.
-namespace: kubewarden-controller-system
-
-# Value of this field is prepended to the
-# names of all resources, e.g. a deployment named
-# "wordpress" becomes "alices-wordpress".
-# Note that it should also match with the prefix (text before '-') of the namespace
-# field above.
-namePrefix: kubewarden-controller-
-
-# Labels to add to all resources and selectors.
-#commonLabels:
-# someName: someValue
-
-bases:
- - ../crd
- - ../rbac
- - ../manager
- # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
- # crd/kustomization.yaml
- - ../webhook
- # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
- # - ../certmanager
-# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
-#- ../prometheus
-
-patchesStrategicMerge:
- # Protect the /metrics endpoint by putting it behind auth.
- # If you want your controller-manager to expose the /metrics
- # endpoint w/o any authn/z, please comment the following line.
- #- manager_auth_proxy_patch.yaml
-
- # Mount the controller config file for loading manager configurations
- # through a ComponentConfig type
- #- manager_config_patch.yaml
-
- # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
- # crd/kustomization.yaml
- - manager_webhook_patch.yaml
-
- # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
- # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
- # 'CERTMANAGER' needs to be enabled to use ca injection
- # - webhookcainjection_patch.yaml
-
-# the following config is for teaching kustomize how to do var substitution
-vars:
- # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
- # - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
- # objref:
- # kind: Certificate
- # group: cert-manager.io
- # version: v1
- # name: serving-cert # this name should match the one in certificate.yaml
- # fieldref:
- # fieldpath: metadata.namespace
- # - name: CERTIFICATE_NAME
- # objref:
- # kind: Certificate
- # group: cert-manager.io
- # version: v1
- # name: serving-cert # this name should match the one in certificate.yaml
- - name: SERVICE_NAMESPACE # namespace of the service
- objref:
- kind: Service
- version: v1
- name: webhook-service
- fieldref:
- fieldpath: metadata.namespace
- - name: SERVICE_NAME
- objref:
- kind: Service
- version: v1
- name: webhook-service
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
deleted file mode 100644
index a224be19e..000000000
--- a/config/default/manager_auth_proxy_patch.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: controller-manager
- namespace: system
-spec:
- template:
- spec:
- containers:
- - name: kube-rbac-proxy
- image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
- args:
- - "--secure-listen-address=0.0.0.0:8443"
- - "--upstream=http://127.0.0.1:8080/"
- - "--logtostderr=true"
- - "--v=10"
- ports:
- - containerPort: 8443
- name: https
- - name: manager
- args:
- - "--health-probe-bind-address=:8081"
- - "--metrics-bind-address=127.0.0.1:8080"
- - "--leader-elect"
diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml
deleted file mode 100644
index 6c400155c..000000000
--- a/config/default/manager_config_patch.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: controller-manager
- namespace: system
-spec:
- template:
- spec:
- containers:
- - name: manager
- args:
- - "--config=controller_manager_config.yaml"
- volumeMounts:
- - name: manager-config
- mountPath: /controller_manager_config.yaml
- subPath: controller_manager_config.yaml
- volumes:
- - name: manager-config
- configMap:
- name: manager-config
diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml
deleted file mode 100644
index 738de350b..000000000
--- a/config/default/manager_webhook_patch.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: controller-manager
- namespace: system
-spec:
- template:
- spec:
- containers:
- - name: manager
- ports:
- - containerPort: 9443
- name: webhook-server
- protocol: TCP
- volumeMounts:
- - mountPath: /tmp/k8s-webhook-server/serving-certs
- name: cert
- readOnly: true
- volumes:
- - name: cert
- secret:
- defaultMode: 420
- secretName: webhook-server-cert
diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml
deleted file mode 100644
index 02ab515d4..000000000
--- a/config/default/webhookcainjection_patch.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-# This patch add annotation to admission webhook config and
-# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
- name: mutating-webhook-configuration
- annotations:
- cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: validating-webhook-configuration
- annotations:
- cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
diff --git a/config/manager/controller_manager_config.yaml b/config/manager/controller_manager_config.yaml
deleted file mode 100644
index 90f426d4f..000000000
--- a/config/manager/controller_manager_config.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
-kind: ControllerManagerConfig
-health:
- healthProbeBindAddress: :8081
-metrics:
- bindAddress: 127.0.0.1:8080
-webhook:
- port: 9443
-leaderElection:
- leaderElect: true
- resourceName: a4ddbf36.kubewarden.io
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
deleted file mode 100644
index 5e793dd19..000000000
--- a/config/manager/kustomization.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-resources:
-- manager.yaml
-
-generatorOptions:
- disableNameSuffixHash: true
-
-configMapGenerator:
-- files:
- - controller_manager_config.yaml
- name: manager-config
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-images:
-- name: controller
- newName: controller
- newTag: latest
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
deleted file mode 100644
index 79adfe72a..000000000
--- a/config/manager/manager.yaml
+++ /dev/null
@@ -1,56 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
- labels:
- control-plane: controller-manager
- name: system
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: controller-manager
- namespace: system
- labels:
- control-plane: controller-manager
-spec:
- selector:
- matchLabels:
- control-plane: controller-manager
- replicas: 1
- template:
- metadata:
- labels:
- control-plane: controller-manager
- spec:
- securityContext:
- runAsNonRoot: true
- containers:
- - command:
- - /manager
- args:
- - --leader-elect
- image: controller:latest
- name: manager
- securityContext:
- allowPrivilegeEscalation: false
- livenessProbe:
- httpGet:
- path: /healthz
- port: 8081
- initialDelaySeconds: 15
- periodSeconds: 20
- readinessProbe:
- httpGet:
- path: /readyz
- port: 8081
- initialDelaySeconds: 5
- periodSeconds: 10
- resources:
- limits:
- cpu: 100m
- memory: 30Mi
- requests:
- cpu: 100m
- memory: 20Mi
- serviceAccountName: controller-manager
- terminationGracePeriodSeconds: 10
diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml
deleted file mode 100644
index ed137168a..000000000
--- a/config/prometheus/kustomization.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-resources:
-- monitor.yaml
diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml
deleted file mode 100644
index d19136ae7..000000000
--- a/config/prometheus/monitor.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-
-# Prometheus Monitor Service (Metrics)
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
- labels:
- control-plane: controller-manager
- name: controller-manager-metrics-monitor
- namespace: system
-spec:
- endpoints:
- - path: /metrics
- port: https
- scheme: https
- bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
- tlsConfig:
- insecureSkipVerify: true
- selector:
- matchLabels:
- control-plane: controller-manager
diff --git a/config/rbac/admissionpolicy_editor_role.yaml b/config/rbac/admissionpolicy_editor_role.yaml
deleted file mode 100644
index 6080388bc..000000000
--- a/config/rbac/admissionpolicy_editor_role.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-# permissions for end users to edit admissionpolicies.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: admissionpolicy-editor-role
-rules:
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - admissionpolicies
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - admissionpolicies/status
- verbs:
- - get
diff --git a/config/rbac/admissionpolicy_viewer_role.yaml b/config/rbac/admissionpolicy_viewer_role.yaml
deleted file mode 100644
index 56986a40d..000000000
--- a/config/rbac/admissionpolicy_viewer_role.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# permissions for end users to view admissionpolicies.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: admissionpolicy-viewer-role
-rules:
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - admissionpolicies
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - admissionpolicies/status
- verbs:
- - get
diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml
deleted file mode 100644
index 51a75db47..000000000
--- a/config/rbac/auth_proxy_client_clusterrole.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: metrics-reader
-rules:
-- nonResourceURLs:
- - "/metrics"
- verbs:
- - get
diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml
deleted file mode 100644
index 80e1857c5..000000000
--- a/config/rbac/auth_proxy_role.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: proxy-role
-rules:
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml
deleted file mode 100644
index ec7acc0a1..000000000
--- a/config/rbac/auth_proxy_role_binding.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: proxy-rolebinding
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: proxy-role
-subjects:
-- kind: ServiceAccount
- name: controller-manager
- namespace: system
diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml
deleted file mode 100644
index 6cf656be1..000000000
--- a/config/rbac/auth_proxy_service.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- control-plane: controller-manager
- name: controller-manager-metrics-service
- namespace: system
-spec:
- ports:
- - name: https
- port: 8443
- targetPort: https
- selector:
- control-plane: controller-manager
diff --git a/config/rbac/clusteradmissionpolicy_editor_role.yaml b/config/rbac/clusteradmissionpolicy_editor_role.yaml
deleted file mode 100644
index 052d34c40..000000000
--- a/config/rbac/clusteradmissionpolicy_editor_role.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-# permissions for end users to edit clusteradmissionpolicies.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: clusteradmissionpolicy-editor-role
-rules:
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - clusteradmissionpolicies
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - clusteradmissionpolicies/status
- verbs:
- - get
diff --git a/config/rbac/clusteradmissionpolicy_viewer_role.yaml b/config/rbac/clusteradmissionpolicy_viewer_role.yaml
deleted file mode 100644
index 816428d54..000000000
--- a/config/rbac/clusteradmissionpolicy_viewer_role.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# permissions for end users to view clusteradmissionpolicies.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: clusteradmissionpolicy-viewer-role
-rules:
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - clusteradmissionpolicies
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - clusteradmissionpolicies/status
- verbs:
- - get
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
deleted file mode 100644
index 40bc8c2a1..000000000
--- a/config/rbac/kustomization.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-resources:
-# All RBAC will be applied under this service account in
-# the deployment namespace. You may comment out this resource
-# if your manager will use a service account that exists at
-# runtime. Be sure to update RoleBinding and ClusterRoleBinding
-# subjects if changing service account names.
-- service_account.yaml
-- role.yaml
-- role_binding.yaml
-- leader_election_role.yaml
-- leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-#- auth_proxy_service.yaml
-#- auth_proxy_role.yaml
-#- auth_proxy_role_binding.yaml
-#- auth_proxy_client_clusterrole.yaml
diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml
deleted file mode 100644
index 4190ec805..000000000
--- a/config/rbac/leader_election_role.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-# permissions to do leader election.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: leader-election-role
-rules:
-- apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
-- apiGroups:
- - ""
- resources:
- - events
- verbs:
- - create
- - patch
diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml
deleted file mode 100644
index 1d1321ed4..000000000
--- a/config/rbac/leader_election_role_binding.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: leader-election-rolebinding
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: leader-election-role
-subjects:
-- kind: ServiceAccount
- name: controller-manager
- namespace: system
diff --git a/config/rbac/policyserver_editor_role.yaml b/config/rbac/policyserver_editor_role.yaml
deleted file mode 100644
index ecaba4204..000000000
--- a/config/rbac/policyserver_editor_role.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-# permissions for end users to edit policyservers.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: policyserver-editor-role
-rules:
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - policyservers
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - policyservers/status
- verbs:
- - get
diff --git a/config/rbac/policyserver_viewer_role.yaml b/config/rbac/policyserver_viewer_role.yaml
deleted file mode 100644
index e4dec79de..000000000
--- a/config/rbac/policyserver_viewer_role.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# permissions for end users to view policyservers.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: policyserver-viewer-role
-rules:
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - policyservers
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - policyservers/status
- verbs:
- - get
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
deleted file mode 100644
index a959d9b9d..000000000
--- a/config/rbac/role.yaml
+++ /dev/null
@@ -1,116 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: controller-role
-rules:
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - mutatingwebhookconfigurations
- - validatingwebhookconfigurations
- verbs:
- - create
- - delete
- - list
- - patch
- - watch
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - admissionpolicies
- - admissionpolicygroups
- - clusteradmissionpolicies
- - clusteradmissionpolicygroups
- - policyservers
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - admissionpolicies/finalizers
- - admissionpolicygroups/finalizers
- - clusteradmissionpolicies/finalizers
- - clusteradmissionpolicygroups/finalizers
- - policyservers/finalizers
- verbs:
- - update
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - admissionpolicies/status
- - admissionpolicygroups/status
- - clusteradmissionpolicies/status
- - clusteradmissionpolicygroups/status
- - policyservers/status
- verbs:
- - get
- - patch
- - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: controller-role
- namespace: kubewarden
-rules:
-- apiGroups:
- - ""
- resources:
- - configmaps
- - secrets
- - services
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - apps
- resources:
- - deployments
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - apps
- resources:
- - replicasets
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - policy
- resources:
- - poddisruptionbudgets
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
deleted file mode 100644
index 2070ede44..000000000
--- a/config/rbac/role_binding.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: manager-rolebinding
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: manager-role
-subjects:
-- kind: ServiceAccount
- name: controller-manager
- namespace: system
diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml
deleted file mode 100644
index 7cd6025bf..000000000
--- a/config/rbac/service_account.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: controller-manager
- namespace: system
diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml
deleted file mode 100644
index 9cf26134e..000000000
--- a/config/webhook/kustomization.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-resources:
-- manifests.yaml
-- service.yaml
-
-configurations:
-- kustomizeconfig.yaml
diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml
deleted file mode 100644
index 25e21e3c9..000000000
--- a/config/webhook/kustomizeconfig.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-# the following config is for teaching kustomize where to look at when substituting vars.
-# It requires kustomize v2.1.0 or newer to work properly.
-nameReference:
-- kind: Service
- version: v1
- fieldSpecs:
- - kind: MutatingWebhookConfiguration
- group: admissionregistration.k8s.io
- path: webhooks/clientConfig/service/name
- - kind: ValidatingWebhookConfiguration
- group: admissionregistration.k8s.io
- path: webhooks/clientConfig/service/name
-
-namespace:
-- kind: MutatingWebhookConfiguration
- group: admissionregistration.k8s.io
- path: webhooks/clientConfig/service/namespace
- create: true
-- kind: ValidatingWebhookConfiguration
- group: admissionregistration.k8s.io
- path: webhooks/clientConfig/service/namespace
- create: true
-
-varReference:
-- path: metadata/annotations
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
deleted file mode 100644
index ec2f5c9f8..000000000
--- a/config/webhook/manifests.yaml
+++ /dev/null
@@ -1,221 +0,0 @@
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
- name: mutating-webhook-configuration
-webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: webhook-service
- namespace: system
- path: /mutate-policies-kubewarden-io-v1-admissionpolicy
- failurePolicy: Fail
- name: madmissionpolicy.kb.io
- rules:
- - apiGroups:
- - policies.kubewarden.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - admissionpolicies
- sideEffects: None
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: webhook-service
- namespace: system
- path: /mutate-policies-kubewarden-io-v1-admissionpolicygroup
- failurePolicy: Fail
- name: madmissionpolicygroup.kb.io
- rules:
- - apiGroups:
- - policies.kubewarden.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - admissionpolicygroups
- sideEffects: None
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: webhook-service
- namespace: system
- path: /mutate-policies-kubewarden-io-v1-clusteradmissionpolicy
- failurePolicy: Fail
- name: mclusteradmissionpolicy.kb.io
- rules:
- - apiGroups:
- - policies.kubewarden.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusteradmissionpolicies
- sideEffects: None
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: webhook-service
- namespace: system
- path: /mutate-policies-kubewarden-io-v1-clusteradmissionpolicygroup
- failurePolicy: Fail
- name: mclusteradmissionpolicygroup.kb.io
- rules:
- - apiGroups:
- - policies.kubewarden.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusteradmissionpolicygroups
- sideEffects: None
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: webhook-service
- namespace: system
- path: /mutate-policies-kubewarden-io-v1-policyserver
- failurePolicy: Fail
- name: mpolicyserver.kb.io
- rules:
- - apiGroups:
- - policies.kubewarden.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - policyservers
- sideEffects: None
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: validating-webhook-configuration
-webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: webhook-service
- namespace: system
- path: /validate-policies-kubewarden-io-v1-admissionpolicy
- failurePolicy: Fail
- name: vadmissionpolicy.kb.io
- rules:
- - apiGroups:
- - policies.kubewarden.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - admissionpolicies
- sideEffects: None
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: webhook-service
- namespace: system
- path: /validate-policies-kubewarden-io-v1-admissionpolicygroup
- failurePolicy: Fail
- name: vadmissionpolicygroup.kb.io
- rules:
- - apiGroups:
- - policies.kubewarden.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - admissionpolicygroups
- sideEffects: None
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: webhook-service
- namespace: system
- path: /validate-policies-kubewarden-io-v1-clusteradmissionpolicy
- failurePolicy: Fail
- name: vclusteradmissionpolicy.kb.io
- rules:
- - apiGroups:
- - policies.kubewarden.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusteradmissionpolicies
- sideEffects: None
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: webhook-service
- namespace: system
- path: /validate-policies-kubewarden-io-v1-clusteradmissionpolicygroup
- failurePolicy: Fail
- name: vclusteradmissionpolicygroup.kb.io
- rules:
- - apiGroups:
- - policies.kubewarden.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusteradmissionpolicygroups
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: webhook-service
- namespace: system
- path: /validate-policies-kubewarden-io-v1-policyserver
- failurePolicy: Fail
- name: vpolicyserver.kb.io
- rules:
- - apiGroups:
- - policies.kubewarden.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - policyservers
- sideEffects: None
diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml
deleted file mode 100644
index 31e0f8295..000000000
--- a/config/webhook/service.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-
-apiVersion: v1
-kind: Service
-metadata:
- name: webhook-service
- namespace: system
-spec:
- ports:
- - port: 443
- targetPort: 9443
- selector:
- control-plane: controller-manager
diff --git a/config/samples/policies_v1_admissionpolicy.yaml b/examples/policies_v1_admissionpolicy.yaml
similarity index 94%
rename from config/samples/policies_v1_admissionpolicy.yaml
rename to examples/policies_v1_admissionpolicy.yaml
index e48539819..9e6920949 100644
--- a/config/samples/policies_v1_admissionpolicy.yaml
+++ b/examples/policies_v1_admissionpolicy.yaml
@@ -2,7 +2,7 @@ apiVersion: policies.kubewarden.io/v1
kind: AdmissionPolicy
metadata:
name: capabilities-psp
- namespace: kubewarden
+ namespace: default
spec:
module: registry://ghcr.io/kubewarden/policies/capabilities-psp:v0.1.9
rules:
diff --git a/examples/policies_v1_admissionpolicygroup.yaml b/examples/policies_v1_admissionpolicygroup.yaml
new file mode 100644
index 000000000..0960dc892
--- /dev/null
+++ b/examples/policies_v1_admissionpolicygroup.yaml
@@ -0,0 +1,46 @@
+apiVersion: policies.kubewarden.io/v1
+kind: AdmissionPolicyGroup
+metadata:
+ name: demo
+ namespace: default
+spec:
+ rules:
+ - apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods"]
+ operations:
+ - CREATE
+ - UPDATE
+ policies:
+ signed_by_alice:
+ module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.3.0
+ settings:
+ modifyImagesWithDigest: false
+ signatures:
+ - image: "*"
+ pubKeys:
+ - |
+ -----BEGIN PUBLIC KEY-----
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyg65hiNHt8FXTamzCn34IE3qMGcV
+ yQz3gPlhoKq3yqa1GIofcgLjUZtcKlUSVAU2/S5gXqyDnsW6466Jx/ZVlg==
+ -----END PUBLIC KEY-----
+ signed_by_bob:
+ module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.3.0
+ settings:
+ modifyImagesWithDigest: false
+ signatures:
+ - image: "*"
+ pubKeys:
+ - |
+ -----BEGIN PUBLIC KEY-----
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEswA3Ec4w1ErOpeLPfCdkrh8jvk3X
+ urm8ZrXi4S3an70k8bf1OlGnI/aHCcGleewHbBk1iByySMwr8BabchXGSg==
+ -----END PUBLIC KEY-----
+ reject_latest:
+ module: registry://ghcr.io/kubewarden/policies/trusted-repos:v0.2.0
+ settings:
+ tags:
+ reject:
+ - latest
+ expression: "reject_latest() || (signed_by_alice() && signed_by_bob())"
+ message: "the image is using the latest tag or is not signed by Alice and Bob"
diff --git a/config/samples/policies_v1_clusteradmissionpolicy.yaml b/examples/policies_v1_clusteradmissionpolicy.yaml
similarity index 100%
rename from config/samples/policies_v1_clusteradmissionpolicy.yaml
rename to examples/policies_v1_clusteradmissionpolicy.yaml
diff --git a/examples/policies_v1_clusteradmissionpolicygroup.yaml b/examples/policies_v1_clusteradmissionpolicygroup.yaml
new file mode 100644
index 000000000..49a8f0d25
--- /dev/null
+++ b/examples/policies_v1_clusteradmissionpolicygroup.yaml
@@ -0,0 +1,45 @@
+apiVersion: policies.kubewarden.io/v1
+kind: ClusterAdmissionPolicyGroup
+metadata:
+ name: demo
+spec:
+ rules:
+ - apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods"]
+ operations:
+ - CREATE
+ - UPDATE
+ policies:
+ signed_by_alice:
+ module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.3.0
+ settings:
+ modifyImagesWithDigest: false
+ signatures:
+ - image: "*"
+ pubKeys:
+ - |
+ -----BEGIN PUBLIC KEY-----
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyg65hiNHt8FXTamzCn34IE3qMGcV
+ yQz3gPlhoKq3yqa1GIofcgLjUZtcKlUSVAU2/S5gXqyDnsW6466Jx/ZVlg==
+ -----END PUBLIC KEY-----
+ signed_by_bob:
+ module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.3.0
+ settings:
+ modifyImagesWithDigest: false
+ signatures:
+ - image: "*"
+ pubKeys:
+ - |
+ -----BEGIN PUBLIC KEY-----
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEswA3Ec4w1ErOpeLPfCdkrh8jvk3X
+ urm8ZrXi4S3an70k8bf1OlGnI/aHCcGleewHbBk1iByySMwr8BabchXGSg==
+ -----END PUBLIC KEY-----
+ reject_latest:
+ module: registry://ghcr.io/kubewarden/policies/trusted-repos:v0.2.0
+ settings:
+ tags:
+ reject:
+ - latest
+ expression: "reject_latest() || (signed_by_alice() && signed_by_bob())"
+ message: "the image is using the latest tag or is not signed by Alice and Bob"
diff --git a/config/samples/policies_v1_policyserver.yaml b/examples/policies_v1_policyserver.yaml
similarity index 100%
rename from config/samples/policies_v1_policyserver.yaml
rename to examples/policies_v1_policyserver.yaml
diff --git a/config/samples/policies_v1alpha1_clusteradmissionpolicy.yaml b/examples/policies_v1alpha1_clusteradmissionpolicy.yaml
similarity index 100%
rename from config/samples/policies_v1alpha1_clusteradmissionpolicy.yaml
rename to examples/policies_v1alpha1_clusteradmissionpolicy.yaml
diff --git a/config/samples/policies_v1alpha2_admissionpolicy.yaml b/examples/policies_v1alpha2_admissionpolicy.yaml
similarity index 100%
rename from config/samples/policies_v1alpha2_admissionpolicy.yaml
rename to examples/policies_v1alpha2_admissionpolicy.yaml
diff --git a/config/samples/policies_v1alpha2_clusteradmissionpolicy.yaml b/examples/policies_v1alpha2_clusteradmissionpolicy.yaml
similarity index 100%
rename from config/samples/policies_v1alpha2_clusteradmissionpolicy.yaml
rename to examples/policies_v1alpha2_clusteradmissionpolicy.yaml
diff --git a/config/samples/policies_v1alpha2_policyserver.yaml b/examples/policies_v1alpha2_policyserver.yaml
similarity index 100%
rename from config/samples/policies_v1alpha2_policyserver.yaml
rename to examples/policies_v1alpha2_policyserver.yaml
diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go
index 564583873..1a21434dd 100644
--- a/internal/controller/suite_test.go
+++ b/internal/controller/suite_test.go
@@ -67,7 +67,7 @@ var _ = SynchronizedBeforeSuite(func() []byte {
ctx, cancel := context.WithCancel(context.TODO())
testEnv := &envtest.Environment{
- CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")},
+ CRDDirectoryPaths: []string{filepath.Join("..", "..", "charts", "kubewarden-crds", "templates", "crds")},
ErrorIfCRDPathMissing: true,
}