diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 676e999409..c44e00a92a 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -51,7 +51,7 @@ dependencies: version: 4.6.0 repository: https://kubereboot.github.io/charts - name: kyverno - version: 3.1.4 + version: 3.4.1 repository: https://kyverno.github.io/kyverno/ - name: loki-distributed alias: loki diff --git a/charts/kyverno/.helmignore b/charts/kyverno/.helmignore deleted file mode 100644 index 85df807a75..0000000000 --- a/charts/kyverno/.helmignore +++ /dev/null @@ -1,3 +0,0 @@ -.helmignore -ci/ -README.md.gotmpl diff --git a/charts/kyverno/Chart.lock b/charts/kyverno/Chart.lock new file mode 100644 index 0000000000..5cde9d0ad1 --- /dev/null +++ b/charts/kyverno/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: grafana + repository: "" + version: 3.4.1 +- name: crds + repository: "" + version: 3.4.1 +digest: sha256:3d2f7b50b356e76cded3843a17ea5b83ca08b40b7cbda5f6ec621473f986459a +generated: "2025-04-30T14:55:51.216823113Z" diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 2a57197b04..1fb2a965dd 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -1,40 +1,45 @@ -apiVersion: v2 -type: application -name: kyverno -version: 3.1.4 -appVersion: v1.11.4 -icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png -description: Kubernetes Native Policy Management -keywords: - - kubernetes - - nirmata - - policy agent - - policy - - validating webhook - - admission controller - - mutation - - mutate - - validate - - generate - - supply chain - - security -home: https://kyverno.io/ -sources: - - https://github.com/kyverno/kyverno -maintainers: - - name: Nirmata - url: https://kyverno.io/ -kubeVersion: ">=1.25.0-0" annotations: - artifacthub.io/operator: "false" - artifacthub.io/prerelease: "false" + artifacthub.io/changes: | + - kind: added + description: Add toggle for enabeling/disabling aggregating the user-facing roles with the kyverno rbac. artifacthub.io/links: | - name: Documentation url: https://kyverno.io/docs + artifacthub.io/operator: "false" + artifacthub.io/prerelease: "false" +apiVersion: v2 +appVersion: v1.14.1 dependencies: - - name: grafana - version: "0.0.0" - condition: grafana.enabled - - name: crds - version: "3.1.4" - condition: crds.install +- condition: grafana.enabled + name: grafana + repository: "" + version: 3.4.1 +- condition: crds.install + name: crds + repository: "" + version: 3.4.1 +description: Kubernetes Native Policy Management +home: https://kyverno.io/ +icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png +keywords: +- kubernetes +- nirmata +- policy agent +- policy +- validating webhook +- admission controller +- mutation +- mutate +- validate +- generate +- supply chain +- security +kubeVersion: '>=1.25.0-0' +maintainers: +- name: Nirmata + url: https://kyverno.io/ +name: kyverno +sources: +- https://github.com/kyverno/kyverno +type: application +version: 3.4.1 diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index bcb6fef534..adfb0b7eea 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -2,7 +2,7 @@ Kubernetes Native Policy Management -![Version: 3.1.4](https://img.shields.io/badge/Version-3.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.4](https://img.shields.io/badge/AppVersion-v1.11.4-informational?style=flat-square) +![Version: 3.4.1](https://img.shields.io/badge/Version-3.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.14.1](https://img.shields.io/badge/AppVersion-v1.14.1-informational?style=flat-square) ## About @@ -109,6 +109,10 @@ spec: - Replace=true ``` +**Notes on using Azure Kubernetes Service (AKS):** + +AKS contains a component known as [Admission Enforcer](https://learn.microsoft.com/en-us/azure/aks/faq#can-admission-controller-webhooks-impact-kube-system-and-internal-aks-namespaces) which will attempt to modify Kyverno's webhooks if not excluded explicitly during Helm installation. If Admissions Enforcer is not disabled, this can lead to several symptoms such as high observed CPU usage and potentially cluster instability. Please see the Kyverno documentation [here](https://kyverno.io/docs/installation/platform-notes/#notes-for-aks-users) for more information and how to set this annotation on webhooks. + ## Migrating from v2 to v3 Direct upgrades from v2 of the Helm chart to v3 are not supported due to the number of breaking changes and manual intervention is required. Review and select an option after carefully reading below. Because either method requires down time, an upgrade should only be performed during a maintenance window. Regardless of the chosen option, please read all release notes very carefully to understand the full extent of changes brought by Kyverno 1.10. Release notes can be found at https://github.com/kyverno/kyverno/releases. @@ -253,14 +257,38 @@ The chart values are organised per component. | Key | Type | Default | Description | |-----|------|---------|-------------| | crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created | +| crds.groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true,"validatingpolicies":true}` | Install CRDs in group `kyverno.io` | +| crds.groups.policies | object | `{"imagevalidatingpolicies":true,"policyexceptions":true,"validatingpolicies":true}` | Install CRDs in group `policies.kyverno.io` | +| crds.groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | Install CRDs in group `reports.kyverno.io` | +| crds.groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | Install CRDs in group `wgpolicyk8s.io` | | crds.annotations | object | `{}` | Additional CRDs annotations | | crds.customLabels | object | `{}` | Additional CRDs labels | +| crds.migration.enabled | bool | `true` | Enable CRDs migration using helm post upgrade hook | +| crds.migration.resources | list | `["cleanuppolicies.kyverno.io","clustercleanuppolicies.kyverno.io","clusterpolicies.kyverno.io","globalcontextentries.kyverno.io","policies.kyverno.io","policyexceptions.kyverno.io","updaterequests.kyverno.io"]` | Resources to migrate | +| crds.migration.image.registry | string | `nil` | Image registry | +| crds.migration.image.defaultRegistry | string | `"reg.kyverno.io"` | | +| crds.migration.image.repository | string | `"kyverno/kyverno-cli"` | Image repository | +| crds.migration.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | +| crds.migration.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| crds.migration.imagePullSecrets | list | `[]` | Image pull secrets | +| crds.migration.podSecurityContext | object | `{}` | Security context for the pod | +| crds.migration.nodeSelector | object | `{}` | Node labels for pod assignment | +| crds.migration.tolerations | list | `[]` | List of node taints to tolerate | +| crds.migration.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | +| crds.migration.podAffinity | object | `{}` | Pod affinity constraints. | +| crds.migration.podLabels | object | `{}` | Pod labels. | +| crds.migration.podAnnotations | object | `{}` | Pod annotations. | +| crds.migration.nodeAffinity | object | `{}` | Node affinity constraints. | +| crds.migration.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | +| crds.migration.podResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | +| crds.migration.podResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | ### Config | Key | Type | Default | Description | |-----|------|---------|-------------| | config.create | bool | `true` | Create the configmap. | +| config.preserve | bool | `true` | Preserve the configmap settings during upgrade. | | config.name | string | `nil` | The configmap name (required if `create` is `false`). | | config.annotations | object | `{}` | Additional annotations to add to the configmap. | | config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. | @@ -271,11 +299,16 @@ The chart values are organised per component. | config.excludeClusterRoles | list | `[]` | Exclude roles | | config.generateSuccessEvents | bool | `false` | Generate success events. | | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. | -| config.webhooks | list | `[]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) | -| config.webhookAnnotations | object | `{}` | Defines annotations to set on webhook configurations. | +| config.updateRequestThreshold | int | `1000` | Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. | +| config.webhooks | object | `{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}` | Defines the `namespaceSelector`/`objectSelector` in the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) | +| config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. | +| config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. | | config.matchConditions | list | `[]` | Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+). | | config.excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters | | config.resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters | +| config.resourceFiltersExclude | list | `[]` | resourceFilters exclude list Items to exclude from config.resourceFilters | +| config.resourceFiltersIncludeNamespaces | list | `[]` | resourceFilter namespace include Namespaces to include to the default resourceFilters | +| config.resourceFiltersInclude | list | `[]` | resourceFilters include list Items to include to config.resourceFilters | ### Metrics config @@ -288,7 +321,7 @@ The chart values are organised per component. | metricsConfig.namespaces.exclude | list | `[]` | list of namespaces to NOT capture metrics for. | | metricsConfig.metricsRefreshInterval | string | `nil` | Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0 | | metricsConfig.bucketBoundaries | list | `[0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10,15,20,25,30]` | Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller | -| metricsConfig.metricsExposure | map | `nil` | Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller | +| metricsConfig.metricsExposure | map | `{"kyverno_admission_requests_total":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_admission_review_duration_seconds":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_cleanup_controller_deletedobjects_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_execution_duration_seconds":{"disabledLabelDimensions":["resource_namespace","resource_request_operation"]},"kyverno_policy_results_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_rule_info_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]}}` | Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller | ### Features @@ -298,6 +331,11 @@ The chart values are organised per component. | features.aggregateReports.enabled | bool | `true` | Enables the feature | | features.policyReports.enabled | bool | `true` | Enables the feature | | features.validatingAdmissionPolicyReports.enabled | bool | `false` | Enables the feature | +| features.reporting.validate | bool | `true` | Enables the feature | +| features.reporting.mutate | bool | `true` | Enables the feature | +| features.reporting.mutateExisting | bool | `true` | Enables the feature | +| features.reporting.imageVerify | bool | `true` | Enables the feature | +| features.reporting.generate | bool | `true` | Enables the feature | | features.autoUpdateWebhooks.enabled | bool | `true` | Enables the feature | | features.backgroundScan.enabled | bool | `true` | Enables the feature | | features.backgroundScan.backgroundScanWorkers | int | `2` | Number of background scan workers | @@ -308,39 +346,55 @@ The chart values are organised per component. | features.dumpPayload.enabled | bool | `false` | Enables the feature | | features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature | | features.generateValidatingAdmissionPolicy.enabled | bool | `false` | Enables the feature | +| features.dumpPatches.enabled | bool | `false` | Enables the feature | +| features.globalContext.maxApiCallResponseLength | int | `2000000` | Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended) | | features.logging.format | string | `"text"` | Logging format | | features.logging.verbosity | int | `2` | Logging verbosity | -| features.omitEvents.eventTypes | list | `[]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) | -| features.policyExceptions.enabled | bool | `true` | Enables the feature | -| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace | +| features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) | +| features.policyExceptions.enabled | bool | `false` | Enables the feature | +| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace Set to "*" to allow exceptions in all namespaces | | features.protectManagedResources.enabled | bool | `false` | Enables the feature | | features.registryClient.allowInsecure | bool | `false` | Allow insecure registry | | features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers | -| features.reports.chunkSize | int | `1000` | Reports chunk size | | features.ttlController.reconciliationInterval | string | `"1m"` | Reconciliation interval for the label based cleanup manager | | features.tuf.enabled | bool | `false` | Enables the feature | -| features.tuf.root | string | `nil` | Tuf root | +| features.tuf.root | string | `nil` | Path to Tuf root | +| features.tuf.rootRaw | string | `nil` | Raw Tuf root | | features.tuf.mirror | string | `nil` | Tuf mirror | ### Admission controller | Key | Type | Default | Description | |-----|------|---------|-------------| -| admissionController.featuresOverride | object | `{}` | Overrides features defined at the root level | +| admissionController.autoscaling.enabled | bool | `false` | Enable horizontal pod autoscaling | +| admissionController.autoscaling.minReplicas | int | `1` | Minimum number of pods | +| admissionController.autoscaling.maxReplicas | int | `10` | Maximum number of pods | +| admissionController.autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization percentage | +| admissionController.autoscaling.behavior | object | `{}` | Configurable scaling behavior | +| admissionController.featuresOverride | object | `{"admissionReports":{"backPressureThreshold":1000}}` | Overrides features defined at the root level | +| admissionController.featuresOverride.admissionReports.backPressureThreshold | int | `1000` | Max number of admission reports allowed in flight until the admission controller stops creating new ones | | admissionController.rbac.create | bool | `true` | Create RBAC resources | +| admissionController.rbac.createViewRoleBinding | bool | `true` | Create rolebinding to view role | +| admissionController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | | admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name | | admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| admissionController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | admissionController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | | admissionController.replicas | int | `nil` | Desired number of pods | +| admissionController.revisionHistoryLimit | int | `10` | The number of revisions to keep | +| admissionController.resyncPeriod | string | `"15m"` | Resync period for informers | | admissionController.podLabels | object | `{}` | Additional labels to add to each pod | | admissionController.podAnnotations | object | `{}` | Additional annotations to add to each pod | +| admissionController.annotations | object | `{}` | Deployment annotations. | | admissionController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | | admissionController.priorityClassName | string | `""` | Optional priority class | | admissionController.apiPriorityAndFairness | bool | `false` | Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno admission controller activities. This will help ensure Kyverno stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ | | admissionController.priorityLevelConfigurationSpec | object | See [values.yaml](values.yaml) | Priority level configuration. The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want. ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration | | admissionController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | +| admissionController.webhookServer | object | `{"port":9443}` | admissionController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to | | admissionController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | +| admissionController.dnsConfig | object | `{}` | `dnsConfig` allows to specify DNS configuration for the pod. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. | | admissionController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | | admissionController.livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | | admissionController.readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | @@ -357,8 +411,11 @@ The chart values are organised per component. | admissionController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | | admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. | | admissionController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. | +| admissionController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates | +| admissionController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.admissionController.caCertificates.data` is defined | | admissionController.imagePullSecrets | list | `[]` | Image pull secrets | -| admissionController.initContainer.image.registry | string | `"ghcr.io"` | Image registry | +| admissionController.initContainer.image.registry | string | `nil` | Image registry | +| admissionController.initContainer.image.defaultRegistry | string | `"reg.kyverno.io"` | | | admissionController.initContainer.image.repository | string | `"kyverno/kyvernopre"` | Image repository | | admissionController.initContainer.image.tag | string | `nil` | Image tag If missing, defaults to image.tag | | admissionController.initContainer.image.pullPolicy | string | `nil` | Image pull policy If missing, defaults to image.pullPolicy | @@ -367,7 +424,8 @@ The chart values are organised per component. | admissionController.initContainer.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context | | admissionController.initContainer.extraArgs | object | `{}` | Additional container args. | | admissionController.initContainer.extraEnvVars | list | `[]` | Additional container environment variables. | -| admissionController.container.image.registry | string | `"ghcr.io"` | Image registry | +| admissionController.container.image.registry | string | `nil` | Image registry | +| admissionController.container.image.defaultRegistry | string | `"reg.kyverno.io"` | | | admissionController.container.image.repository | string | `"kyverno/kyverno"` | Image repository | | admissionController.container.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | admissionController.container.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | @@ -407,6 +465,10 @@ The chart values are organised per component. | admissionController.metering.port | int | `8000` | Prometheus endpoint port | | admissionController.metering.collector | string | `""` | Otel collector endpoint | | admissionController.metering.creds | string | `""` | Otel collector credentials | +| admissionController.profiling.enabled | bool | `false` | Enable profiling | +| admissionController.profiling.port | int | `6060` | Profiling endpoint port | +| admissionController.profiling.serviceType | string | `"ClusterIP"` | Service type. | +| admissionController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | ### Background controller @@ -415,22 +477,29 @@ The chart values are organised per component. | backgroundController.featuresOverride | object | `{}` | Overrides features defined at the root level | | backgroundController.enabled | bool | `true` | Enable background controller. | | backgroundController.rbac.create | bool | `true` | Create RBAC resources | +| backgroundController.rbac.createViewRoleBinding | bool | `true` | Create rolebinding to view role | +| backgroundController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | | backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name | | backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | | backgroundController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | -| backgroundController.image.registry | string | `"ghcr.io"` | Image registry | +| backgroundController.image.registry | string | `nil` | Image registry | +| backgroundController.image.defaultRegistry | string | `"reg.kyverno.io"` | | | backgroundController.image.repository | string | `"kyverno/background-controller"` | Image repository | | backgroundController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | backgroundController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | backgroundController.imagePullSecrets | list | `[]` | Image pull secrets | | backgroundController.replicas | int | `nil` | Desired number of pods | +| backgroundController.revisionHistoryLimit | int | `10` | The number of revisions to keep | +| backgroundController.resyncPeriod | string | `"15m"` | Resync period for informers | | backgroundController.podLabels | object | `{}` | Additional labels to add to each pod | | backgroundController.podAnnotations | object | `{}` | Additional annotations to add to each pod | +| backgroundController.annotations | object | `{}` | Deployment annotations. | | backgroundController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | | backgroundController.priorityClassName | string | `""` | Optional priority class | | backgroundController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | | backgroundController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | +| backgroundController.dnsConfig | object | `{}` | `dnsConfig` allows to specify DNS configuration for the pod. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. | | backgroundController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line | | backgroundController.extraEnvVars | list | `[]` | Additional container environment variables. | | backgroundController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits | @@ -447,6 +516,8 @@ The chart values are organised per component. | backgroundController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | | backgroundController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | | backgroundController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | +| backgroundController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates | +| backgroundController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.backgroundController.caCertificates.data` is defined | | backgroundController.metricsService.create | bool | `true` | Create service. | | backgroundController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | | backgroundController.metricsService.type | string | `"ClusterIP"` | Service type. | @@ -472,6 +543,11 @@ The chart values are organised per component. | backgroundController.metering.port | int | `8000` | Prometheus endpoint port | | backgroundController.metering.collector | string | `""` | Otel collector endpoint | | backgroundController.metering.creds | string | `""` | Otel collector credentials | +| backgroundController.server | object | `{"port":9443}` | backgroundController server port in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to | +| backgroundController.profiling.enabled | bool | `false` | Enable profiling | +| backgroundController.profiling.port | int | `6060` | Profiling endpoint port | +| backgroundController.profiling.serviceType | string | `"ClusterIP"` | Service type. | +| backgroundController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | ### Cleanup controller @@ -484,18 +560,25 @@ The chart values are organised per component. | cleanupController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | | cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | cleanupController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | -| cleanupController.image.registry | string | `"ghcr.io"` | Image registry | +| cleanupController.image.registry | string | `nil` | Image registry | +| cleanupController.image.defaultRegistry | string | `"reg.kyverno.io"` | | | cleanupController.image.repository | string | `"kyverno/cleanup-controller"` | Image repository | | cleanupController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | cleanupController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | cleanupController.imagePullSecrets | list | `[]` | Image pull secrets | | cleanupController.replicas | int | `nil` | Desired number of pods | +| cleanupController.revisionHistoryLimit | int | `10` | The number of revisions to keep | +| cleanupController.resyncPeriod | string | `"15m"` | Resync period for informers | | cleanupController.podLabels | object | `{}` | Additional labels to add to each pod | | cleanupController.podAnnotations | object | `{}` | Additional annotations to add to each pod | +| cleanupController.annotations | object | `{}` | Deployment annotations. | | cleanupController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | | cleanupController.priorityClassName | string | `""` | Optional priority class | | cleanupController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | +| cleanupController.server | object | `{"port":9443}` | cleanupController server port in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to | +| cleanupController.webhookServer | object | `{"port":9443}` | cleanupController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to | | cleanupController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | +| cleanupController.dnsConfig | object | `{}` | `dnsConfig` allows to specify DNS configuration for the pod. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. | | cleanupController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line | | cleanupController.extraEnvVars | list | `[]` | Additional container environment variables. | | cleanupController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits | @@ -544,6 +627,10 @@ The chart values are organised per component. | cleanupController.metering.port | int | `8000` | Prometheus endpoint port | | cleanupController.metering.collector | string | `""` | Otel collector endpoint | | cleanupController.metering.creds | string | `""` | Otel collector credentials | +| cleanupController.profiling.enabled | bool | `false` | Enable profiling | +| cleanupController.profiling.port | int | `6060` | Profiling endpoint port | +| cleanupController.profiling.serviceType | string | `"ClusterIP"` | Service type. | +| cleanupController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | ### Reports controller @@ -552,23 +639,31 @@ The chart values are organised per component. | reportsController.featuresOverride | object | `{}` | Overrides features defined at the root level | | reportsController.enabled | bool | `true` | Enable reports controller. | | reportsController.rbac.create | bool | `true` | Create RBAC resources | +| reportsController.rbac.createViewRoleBinding | bool | `true` | Create rolebinding to view role | +| reportsController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | | reportsController.rbac.serviceAccount.name | string | `nil` | Service account name | | reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| reportsController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | reportsController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | -| reportsController.image.registry | string | `"ghcr.io"` | Image registry | +| reportsController.image.registry | string | `nil` | Image registry | +| reportsController.image.defaultRegistry | string | `"reg.kyverno.io"` | | | reportsController.image.repository | string | `"kyverno/reports-controller"` | Image repository | | reportsController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | reportsController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | reportsController.imagePullSecrets | list | `[]` | Image pull secrets | | reportsController.replicas | int | `nil` | Desired number of pods | +| reportsController.revisionHistoryLimit | int | `10` | The number of revisions to keep | +| reportsController.resyncPeriod | string | `"15m"` | Resync period for informers | | reportsController.podLabels | object | `{}` | Additional labels to add to each pod | | reportsController.podAnnotations | object | `{}` | Additional annotations to add to each pod | +| reportsController.annotations | object | `{}` | Deployment annotations. | | reportsController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | | reportsController.priorityClassName | string | `""` | Optional priority class | | reportsController.apiPriorityAndFairness | bool | `false` | Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno reports controller activities. This will help ensure Kyverno reports stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ | | reportsController.priorityLevelConfigurationSpec | object | See [values.yaml](values.yaml) | Priority level configuration. The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want. ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration | | reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | | reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | +| reportsController.dnsConfig | object | `{}` | `dnsConfig` allows to specify DNS configuration for the pod. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. | | reportsController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line | | reportsController.extraEnvVars | list | `[]` | Additional container environment variables. | | reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits | @@ -587,6 +682,8 @@ The chart values are organised per component. | reportsController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | | reportsController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. | | reportsController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. | +| reportsController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates | +| reportsController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.reportsController.caCertificates.data` is defined | | reportsController.metricsService.create | bool | `true` | Create service. | | reportsController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | | reportsController.metricsService.type | string | `"ClusterIP"` | Service type. | @@ -612,6 +709,12 @@ The chart values are organised per component. | reportsController.metering.port | int | `8000` | Prometheus endpoint port | | reportsController.metering.collector | string | `nil` | Otel collector endpoint | | reportsController.metering.creds | string | `nil` | Otel collector credentials | +| reportsController.server | object | `{"port":9443}` | reportsController server port in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to | +| reportsController.profiling.enabled | bool | `false` | Enable profiling | +| reportsController.profiling.port | int | `6060` | Profiling endpoint port | +| reportsController.profiling.serviceType | string | `"ClusterIP"` | Service type. | +| reportsController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | +| reportsController.sanityChecks | bool | `true` | Enable sanity check for reports CRDs | ### Grafana @@ -622,16 +725,17 @@ The chart values are organised per component. | grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. | | grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. | | grafana.labels | object | `{"grafana_dashboard":"1"}` | Grafana dashboard configmap labels | -| grafana.grafanaDashboard | object | `{"create":false,"matchLabels":{"dashboards":"grafana"}}` | create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/ | +| grafana.grafanaDashboard | object | `{"allowCrossNamespaceImport":true,"create":false,"folder":"kyverno","matchLabels":{"dashboards":"grafana"}}` | create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/ | ### Webhooks cleanup | Key | Type | Default | Description | |-----|------|---------|-------------| | webhooksCleanup.enabled | bool | `true` | Create a helm pre-delete hook to cleanup webhooks. | +| webhooksCleanup.autoDeleteWebhooks.enabled | bool | `false` | Allow webhooks controller to delete webhooks using finalizers | | webhooksCleanup.image.registry | string | `nil` | Image registry | | webhooksCleanup.image.repository | string | `"bitnami/kubectl"` | Image repository | -| webhooksCleanup.image.tag | string | `"1.28.5"` | Image tag Defaults to `latest` if omitted | +| webhooksCleanup.image.tag | string | `"1.32.3"` | Image tag Defaults to `latest` if omitted | | webhooksCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | | webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets | | webhooksCleanup.podSecurityContext | object | `{}` | Security context for the pod | @@ -639,17 +743,23 @@ The chart values are organised per component. | webhooksCleanup.tolerations | list | `[]` | List of node taints to tolerate | | webhooksCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | | webhooksCleanup.podAffinity | object | `{}` | Pod affinity constraints. | +| webhooksCleanup.podLabels | object | `{}` | Pod labels. | +| webhooksCleanup.podAnnotations | object | `{}` | Pod annotations. | | webhooksCleanup.nodeAffinity | object | `{}` | Node affinity constraints. | | webhooksCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | +| webhooksCleanup.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | +| webhooksCleanup.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | ### Test | Key | Type | Default | Description | |-----|------|---------|-------------| +| test.sleep | int | `20` | Sleep time before running test | | test.image.registry | string | `nil` | Image registry | | test.image.repository | string | `"busybox"` | Image repository | | test.image.tag | string | `"1.35"` | Image tag Defaults to `latest` if omitted | | test.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | +| test.imagePullSecrets | list | `[]` | Image pull secrets | | test.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | | test.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | | test.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers | @@ -660,65 +770,30 @@ The chart values are organised per component. |-----|------|---------|-------------| | apiVersionOverride.podDisruptionBudget | string | `nil` | Override api version used to create `PodDisruptionBudget`` resources. When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to determine the api version automatically. | -### Cleanup jobs - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| cleanupJobs.admissionReports.enabled | bool | `true` | Enable cleanup cronjob | -| cleanupJobs.admissionReports.image.registry | string | `nil` | Image registry | -| cleanupJobs.admissionReports.image.repository | string | `"bitnami/kubectl"` | Image repository | -| cleanupJobs.admissionReports.image.tag | string | `"1.28.5"` | Image tag Defaults to `latest` if omitted | -| cleanupJobs.admissionReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | -| cleanupJobs.admissionReports.imagePullSecrets | list | `[]` | Image pull secrets | -| cleanupJobs.admissionReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule | -| cleanupJobs.admissionReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them | -| cleanupJobs.admissionReports.history | object | `{"failure":1,"success":1}` | Cronjob history | -| cleanupJobs.admissionReports.podSecurityContext | object | `{}` | Security context for the pod | -| cleanupJobs.admissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | -| cleanupJobs.admissionReports.resources | object | `{}` | Job resources | -| cleanupJobs.admissionReports.tolerations | list | `[]` | List of node taints to tolerate | -| cleanupJobs.admissionReports.nodeSelector | object | `{}` | Node labels for pod assignment | -| cleanupJobs.admissionReports.podAnnotations | object | `{}` | Pod Annotations | -| cleanupJobs.admissionReports.podLabels | object | `{}` | Pod labels | -| cleanupJobs.admissionReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | -| cleanupJobs.admissionReports.podAffinity | object | `{}` | Pod affinity constraints. | -| cleanupJobs.admissionReports.nodeAffinity | object | `{}` | Node affinity constraints. | -| cleanupJobs.clusterAdmissionReports.enabled | bool | `true` | Enable cleanup cronjob | -| cleanupJobs.clusterAdmissionReports.image.registry | string | `nil` | Image registry | -| cleanupJobs.clusterAdmissionReports.image.repository | string | `"bitnami/kubectl"` | Image repository | -| cleanupJobs.clusterAdmissionReports.image.tag | string | `"1.28.5"` | Image tag Defaults to `latest` if omitted | -| cleanupJobs.clusterAdmissionReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | -| cleanupJobs.clusterAdmissionReports.imagePullSecrets | list | `[]` | Image pull secrets | -| cleanupJobs.clusterAdmissionReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule | -| cleanupJobs.clusterAdmissionReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them | -| cleanupJobs.clusterAdmissionReports.history | object | `{"failure":1,"success":1}` | Cronjob history | -| cleanupJobs.clusterAdmissionReports.podSecurityContext | object | `{}` | Security context for the pod | -| cleanupJobs.clusterAdmissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | -| cleanupJobs.clusterAdmissionReports.resources | object | `{}` | Job resources | -| cleanupJobs.clusterAdmissionReports.tolerations | list | `[]` | List of node taints to tolerate | -| cleanupJobs.clusterAdmissionReports.nodeSelector | object | `{}` | Node labels for pod assignment | -| cleanupJobs.clusterAdmissionReports.podAnnotations | object | `{}` | Pod Annotations | -| cleanupJobs.clusterAdmissionReports.podLabels | object | `{}` | Pod Labels | -| cleanupJobs.clusterAdmissionReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | -| cleanupJobs.clusterAdmissionReports.podAffinity | object | `{}` | Pod affinity constraints. | -| cleanupJobs.clusterAdmissionReports.nodeAffinity | object | `{}` | Node affinity constraints. | - ### Other | Key | Type | Default | Description | |-----|------|---------|-------------| | global.image.registry | string | `nil` | Global value that allows to set a single image registry across all deployments. When set, it will override any values set under `.image.registry` across the chart. | +| global.imagePullSecrets | list | `[]` | Global list of Image pull secrets When set, it will override any values set under `imagePullSecrets` under different components across the chart. | +| global.resyncPeriod | string | `"15m"` | Resync period for informers | +| global.caCertificates.data | string | `nil` | Global CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates Individual controller values will override this global value | +| global.caCertificates.volume | object | `{}` | Global value to set single volume to be mounted for CA certificates for all deployments. Not used when `.Values.global.caCertificates.data` is defined Individual controller values will override this global value | +| global.extraEnvVars | list | `[]` | Additional container environment variables to apply to all containers and init containers | +| global.nodeSelector | object | `{}` | Global node labels for pod assignment. Non-global values will override the global value. | +| global.tolerations | list | `[]` | Global List of node taints to tolerate. Non-global values will override the global value. | | nameOverride | string | `nil` | Override the name of the chart | | fullnameOverride | string | `nil` | Override the expanded name of the chart | | namespaceOverride | string | `nil` | Override the namespace the chart deploys to | | upgrade.fromV2 | bool | `false` | Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed. | +| rbac.roles.aggregate | object | `{"admin":true,"view":true}` | Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) | | imagePullSecrets | object | `{}` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | | existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | | customLabels | object | `{}` | Additional labels | | policyReportsCleanup.enabled | bool | `true` | Create a helm post-upgrade hook to cleanup the old policy reports. | | policyReportsCleanup.image.registry | string | `nil` | Image registry | | policyReportsCleanup.image.repository | string | `"bitnami/kubectl"` | Image repository | -| policyReportsCleanup.image.tag | string | `"1.28.5"` | Image tag Defaults to `latest` if omitted | +| policyReportsCleanup.image.tag | string | `"1.32.3"` | Image tag Defaults to `latest` if omitted | | policyReportsCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | | policyReportsCleanup.imagePullSecrets | list | `[]` | Image pull secrets | | policyReportsCleanup.podSecurityContext | object | `{}` | Security context for the pod | @@ -726,8 +801,12 @@ The chart values are organised per component. | policyReportsCleanup.tolerations | list | `[]` | List of node taints to tolerate | | policyReportsCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | | policyReportsCleanup.podAffinity | object | `{}` | Pod affinity constraints. | +| policyReportsCleanup.podLabels | object | `{}` | Pod labels. | +| policyReportsCleanup.podAnnotations | object | `{}` | Pod annotations. | | policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. | | policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | +| policyReportsCleanup.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | +| policyReportsCleanup.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | ## TLS Configuration @@ -765,6 +844,10 @@ It contains an array of string templates that are passed through the `tpl` Helm Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list. +Add entries to `config.resourceFiltersExclude` that you wish to omit from `config.resourceFilters`. + +Add entries to `config.resourceFiltersInclude` that you with to add to `config.resourceFilters`. + ## High availability Running a highly-available Kyverno installation is crucial in a production environment. @@ -784,8 +867,8 @@ Kubernetes: `>=1.25.0-0` | Repository | Name | Version | |------------|------|---------| -| | crds | 3.1.4 | -| | grafana | 0.0.0 | +| | crds | 3.4.1 | +| | grafana | 3.4.1 | ## Maintainers diff --git a/charts/kyverno/README.md.gotmpl b/charts/kyverno/README.md.gotmpl deleted file mode 100644 index 4c0692c4c1..0000000000 --- a/charts/kyverno/README.md.gotmpl +++ /dev/null @@ -1,404 +0,0 @@ -{{ template "chart.header" . }} -{{ template "chart.deprecationWarning" . }} -{{ template "chart.description" . }} - -{{ template "chart.badgesSection" . }} - -## About - -[Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine. - -It allows you to: -- Manage policies as Kubernetes resources (no new language required.) -- Validate, mutate, and generate resource configurations. -- Select resources based on labels and wildcards. -- View policy enforcement as events. -- Scan existing resources for violations. - -This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -Access the complete user documentation and guides at: https://kyverno.io. - -## Installing the Chart - -**IMPORTANT IMPORTANT IMPORTANT IMPORTANT** - -This chart changed significantly between `v2` and `v3`. If you are upgrading from `v2`, please read `Migrating from v2 to v3` section. - -**Add the Kyverno Helm repository:** - -```console -$ helm repo add kyverno https://kyverno.github.io/kyverno/ -``` - -**Create a namespace:** - -You can install Kyverno in any namespace. The examples use `kyverno` as the namespace. - -```console -$ kubectl create namespace kyverno -``` - -**Install the Kyverno chart:** - -```console -$ helm install kyverno --namespace kyverno kyverno/kyverno -``` - -The command deploys Kyverno on the Kubernetes cluster with default configuration. The [installation](https://kyverno.io/docs/installation/) guide lists the parameters that can be configured during installation. - -The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix `:webhook`. Ex., `*:webhook` or `kyverno:webhook`. -Other ClusterRole/ClusterRoleBinding names are configurable. - -**Notes on using ArgoCD:** - -When deploying this chart with ArgoCD you will need to enable `Replace` in the `syncOptions`, and you probably want to ignore diff in aggregated cluster roles. - -You can do so by following instructions in these pages of ArgoCD documentation: -- [Enable Replace in the syncOptions](https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#replace-resource-instead-of-applying-changes) -- [Ignore diff in aggregated cluster roles](https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/#ignoring-rbac-changes-made-by-aggregateroles) - -ArgoCD uses helm only for templating but applies the results with `kubectl`. - -Unfortunately `kubectl` adds metadata that will cross the limit allowed by Kubernetes. Using `Replace` overcomes this limitation. - -Another option is to use server side apply, this will be supported in ArgoCD v2.5. - -Finally, we introduced new CRDs in 1.8 to manage resource-level reports. Those reports are associated with parent resources using an `ownerReference` object. - -As a consequence, ArgoCD will show those reports in the UI, but as they are managed dynamically by Kyverno it can pollute your dashboard. - -You can tell ArgoCD to ignore reports globally by adding them under the `resource.exclusions` stanza in the ArgoCD ConfigMap. - -```yaml - resource.exclusions: | - - apiGroups: - - kyverno.io - kinds: - - AdmissionReport - - BackgroundScanReport - - ClusterAdmissionReport - - ClusterBackgroundScanReport - clusters: - - '*' -``` - -Below is an example of ArgoCD Application manifest that should work with this chart. - -```yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kyverno - namespace: argocd -spec: - destination: - namespace: kyverno - server: https://kubernetes.default.svc - project: default - source: - chart: kyverno - repoURL: https://kyverno.github.io/kyverno - targetRevision: 2.6.0 - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - - Replace=true -``` - -## Migrating from v2 to v3 - -Direct upgrades from v2 of the Helm chart to v3 are not supported due to the number of breaking changes and manual intervention is required. Review and select an option after carefully reading below. Because either method requires down time, an upgrade should only be performed during a maintenance window. Regardless of the chosen option, please read all release notes very carefully to understand the full extent of changes brought by Kyverno 1.10. Release notes can be found at https://github.com/kyverno/kyverno/releases. - -**IMPORTANT NOTE**: If you currently use [clone-type](https://kyverno.io/docs/writing-policies/generate/#clone-source) generate rules with synchronization enabled, please do not upgrade to 1.10.0 as there is a bug which may prevent synchronization from occurring on all downstream (generated) resources when the source is updated. Please wait for a future patch where this should be resolved. See [issue 7170](https://github.com/kyverno/kyverno/issues/7170) for further details. - -### Option 1 - Uninstallation and Reinstallation - -The first option for upgrading, which is the recommended option, involves backing up Kyverno policy resources, uninstalling Kyverno, and reinstalling with v3 of the chart. Policy Reports for policies which have background mode enabled will be regenerated upon the next scan interval. - -**Pros** - -* Reduced complexity with minimal effort -* Allows re-checking older policies against new validation webhooks in 1.10 - -**Cons** - -* Policy Reports which contained results only from admission mode and from policies/rules where background scans were disabled will be lost. -* Requires additional steps if data-type generate rules are used - -Follow the procedure below. - -1. READ THE COMPLETE RELEASE NOTES FIRST -2. Backup and export all Kyverno policy resources to a YAML manifest. Use the command `kubectl get pol,cpol,cleanpol,ccleanpol,polex -A -o yaml > kyvernobackup.yaml`. - 1. Before performing this step, if you use [data-type](https://kyverno.io/docs/writing-policies/generate/#data-source) generate rules with synchronization enabled (`generate.synchronize: true`) disable synchronization first (set `generate.synchronize: false`). If you do not perform this step first, uninstallation of Kyverno in the subsequent step, which removes all policies, will result in deletion of generated resources. -3. Uninstall your current version of Kyverno. -4. Review the [New Chart Values](#new-chart-values) section and translate your desired features and configurations to the new format. -5. Install the v3 chart with Kyverno 1.10. -6. Restore your Kyverno policies. Use the command `kubectl create -f kyvernobackup.yaml`. - 1. Before performing this step, if step 2.1 applied to you, enable synchronization (set `generate.synchronize: true`) AND add the field `spec.generateExisting: true`. This will cause existing, generated resources to be refreshed with the new labeling system used by Kyverno 1.10. Note that this may increment the `resourceVersion` field on all downstream resources. Also, understand that when re-installing these policies with `spec.generateExisting: true`, it could result in additional resources being created at that moment based upon the current match defined in the policy. You may need to further refine the match/exclude blocks of your rules to account for this. - -### Option 2 - Scale to Zero - -In the second option, Kyverno policies do not have to be backed up however you perform more manual work in order to prepare for the upgrade to chart v3. - -**Pros** - -* Policy Reports which contained results from admission mode will be preserved -* Kyverno policies do not need to be backed up first - -**Cons** - -* Older policies will not be revalidated for correctness according to the breaking schema changes. Some policies may not work as they did before. -* Requires additional steps if data-type generate rules are used - -Follow the procedure below. - -1. READ THE COMPLETE RELEASE NOTES FIRST -2. Scale the `kyverno` Deployment to zero replicas. -3. If coming from 1.9 and you have installed the cleanup controller, scale the `kyverno-cleanup-controller` Deployment to zero replicas. -4. If step 3 applied to you, now delete the cleanup Deployment. -5. Review the [New Chart Values](#new-chart-values) section and translate your desired features and configurations to the new format. -6. Upgrade to the v3 chart by passing the mandatory flag `upgrade.fromV2=true`. -7. If you use [data-type](https://kyverno.io/docs/writing-policies/generate/#data-source) generate rules with synchronization enabled (`generate.synchronize: true`), after the upgrade modify those policies to add the field `spec.generateExisting: true`. This will cause existing, generated resources to be refreshed with the new labeling system used by Kyverno 1.10. Note that this may increment the `resourceVersion` field on all downstream resources. Also, understand that when making this modification, it could result in additional resources being created at that moment based upon the current match defined in the policy. You may need to further refine the match/exclude blocks of your rules to account for this. - -### New Chart Values - -In `v3` chart values changed significantly, please read the instructions below to migrate your values: - -- `config.metricsConfig` is now `metricsConfig` -- `resourceFiltersExcludeNamespaces` has been replaced with `config.resourceFiltersExcludeNamespaces` -- `excludeKyvernoNamespace` has been replaced with `config.excludeKyvernoNamespace` -- `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__ -- `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__ -- `namespace` has been renamed `namespaceOverride` -- `installCRDs` has been replaced with `crds.install` -- `testImage` has been replaced with `test.image` -- `testResources` has been replaced with `test.resources` -- `testSecurityContext` has been replaced with `test.securityContext` -- `replicaCount` has been replaced with `admissionController.replicas` -- `updateStrategy` has been replaced with `admissionController.updateStrategy` -- `priorityClassName` has been replaced with `admissionController.priorityClassName` -- `hostNetwork` has been replaced with `admissionController.hostNetwork` -- `dnsPolicy` has been replaced with `admissionController.dnsPolicy` -- `nodeSelector` has been replaced with `admissionController.nodeSelector` -- `tolerations` has been replaced with `admissionController.tolerations` -- `topologySpreadConstraints` has been replaced with `admissionController.topologySpreadConstraints` -- `podDisruptionBudget` has been replaced with `admissionController.podDisruptionBudget` -- `antiAffinity` has been replaced with `admissionController.antiAffinity` -- `antiAffinity.enable` has been replaced with `admissionController.antiAffinity.enabled` -- `podAntiAffinity` has been replaced with `admissionController.podAntiAffinity` -- `podAffinity` has been replaced with `admissionController.podAffinity` -- `nodeAffinity` has been replaced with `admissionController.nodeAffinity` -- `startupProbe` has been replaced with `admissionController.startupProbe` -- `livenessProbe` has been replaced with `admissionController.livenessProbe` -- `readinessProbe` has been replaced with `admissionController.readinessProbe` -- `createSelfSignedCert` has been replaced with `admissionController.createSelfSignedCert` -- `serviceMonitor` has been replaced with `admissionController.serviceMonitor` -- `podSecurityContext` has been replaced with `admissionController.podSecurityContext` -- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath` -- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume` -- `initImage` has been replaced with `admissionController.initContainer.image` -- `initResources` has been replaced with `admissionController.initContainer.resources` -- `image` has been replaced with `admissionController.container.image` -- `image.pullSecrets` has been replaced with `admissionController.imagePullSecrets` -- `resources` has been replaced with `admissionController.container.resources` -- `service` has been replaced with `admissionController.service` -- `metricsService` has been replaced with `admissionController.metricsService` -- `initContainer.extraArgs` has been replaced with `admissionController.initContainer.extraArgs` -- `envVarsInit` has been replaced with `admissionController.initContainer.extraEnvVars` -- `envVars` has been replaced with `admissionController.container.extraEnvVars` -- `extraArgs` has been replaced with `admissionController.container.extraArgs` -- `extraInitContainers` has been replaced with `admissionController.extraInitContainers` -- `extraContainers` has been replaced with `admissionController.extraContainers` -- `podLabels` has been replaced with `admissionController.podLabels` -- `podAnnotations` has been replaced with `admissionController.podAnnotations` -- `securityContext` has been replaced with `admissionController.container.securityContext` and `admissionController.initContainer.securityContext` -- `rbac` has been replaced with `admissionController.rbac` -- `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources` -- `networkPolicy` has been replaced with `admissionController.networkPolicy` -- all `extraArgs` now use objects instead of arrays -- logging, tracing and metering are now configured using `*Controller.logging`, `*Controller.tracing` and `*Controller.metering` - -- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. - -- Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value. - -- Image references are now using the `registry` setting, if you override the registry or repository fields please use `registry` (`--set image.registry=ghcr.io --set image.repository=kyverno/kyverno` instead of `--set image.repository=ghcr.io/kyverno/kyverno`). - -- Admission controller `Deployment` name changed from `kyverno` to `kyverno-admission-controller`. -- `config.excludeUsername` was renamed to `config.excludeUsernames` -- `config.excludeGroupRole` was renamed to `config.excludeGroups` - -Hardcoded defaults for `config.excludeGroups` and `config.excludeUsernames` have been removed, please review those fields if you provide your own exclusions. - -## Uninstalling the Chart - -To uninstall/delete the `kyverno` deployment: - -```console -$ helm delete -n kyverno kyverno -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Values - -The chart values are organised per component. - -{{- $other := list -}} -{{- $crds := list -}} -{{- $config := list -}} -{{- $metricsConfig := list -}} -{{- $features := list -}} -{{- $admissionController := list -}} -{{- $backgroundController := list -}} -{{- $cleanupController := list -}} -{{- $reportsController := list -}} -{{- $grafana := list -}} -{{- $test := list -}} -{{- $apiVersionOverride := list -}} -{{- $webhooksCleanup := list -}} -{{- $cleanupJobs := list -}} -{{- range .Values -}} - {{- if (hasPrefix "admissionController." .Key) -}} - {{- $admissionController = append $admissionController . -}} - {{- else if (hasPrefix "backgroundController." .Key) -}} - {{- $backgroundController = append $backgroundController . -}} - {{- else if (hasPrefix "cleanupController." .Key) -}} - {{- $cleanupController = append $cleanupController . -}} - {{- else if (hasPrefix "reportsController." .Key) -}} - {{- $reportsController = append $reportsController . -}} - {{- else if (hasPrefix "crds." .Key) -}} - {{- $crds = append $crds . -}} - {{- else if (hasPrefix "config." .Key) -}} - {{- $config = append $config . -}} - {{- else if (hasPrefix "metricsConfig." .Key) -}} - {{- $metricsConfig = append $metricsConfig . -}} - {{- else if (hasPrefix "webhooksCleanup." .Key) -}} - {{- $webhooksCleanup = append $webhooksCleanup . -}} - {{- else if (hasPrefix "grafana." .Key) -}} - {{- $grafana = append $grafana . -}} - {{- else if (hasPrefix "features." .Key) -}} - {{- $features = append $features . -}} - {{- else if (hasPrefix "test." .Key) -}} - {{- $test = append $test . -}} - {{- else if (hasPrefix "apiVersionOverride." .Key) -}} - {{- $apiVersionOverride = append $apiVersionOverride . -}} - {{- else if (hasPrefix "cleanupJobs." .Key) -}} - {{- $cleanupJobs = append $cleanupJobs . -}} - {{- else -}} - {{- $other = append $other . -}} - {{- end -}} -{{- end }} - -### Custom resource definitions - -{{ template "chart.valuesTable" (dict "Values" $crds) }} - -### Config - -{{ template "chart.valuesTable" (dict "Values" $config) }} - -### Metrics config - -{{ template "chart.valuesTable" (dict "Values" $metricsConfig) }} - -### Features - -{{ template "chart.valuesTable" (dict "Values" $features) }} - -### Admission controller - -{{ template "chart.valuesTable" (dict "Values" $admissionController) }} - -### Background controller - -{{ template "chart.valuesTable" (dict "Values" $backgroundController) }} - -### Cleanup controller - -{{ template "chart.valuesTable" (dict "Values" $cleanupController) }} - -### Reports controller - -{{ template "chart.valuesTable" (dict "Values" $reportsController) }} - -### Grafana - -{{ template "chart.valuesTable" (dict "Values" $grafana) }} - -### Webhooks cleanup - -{{ template "chart.valuesTable" (dict "Values" $webhooksCleanup) }} - -### Test - -{{ template "chart.valuesTable" (dict "Values" $test) }} - -### Api version override - -{{ template "chart.valuesTable" (dict "Values" $apiVersionOverride) }} - -### Cleanup jobs - -{{ template "chart.valuesTable" (dict "Values" $cleanupJobs) }} - -### Other - -{{ template "chart.valuesTable" (dict "Values" $other) }} - -## TLS Configuration - -If `admissionController.createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate) - -If `admissionController.createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno). - -## Default resource filters - -[Kyverno resource filters](https://kyverno.io/docs/installation/#resource-filters) are a used to exclude resources from the Kyverno engine rules processing. - -This chart comes with default resource filters that apply exclusions on a couple of namespaces and resource kinds: -- all resources in `kube-system`, `kube-public` and `kube-node-lease` namespaces -- all resources in all namespaces for the following resource kinds: - - `Event` - - `Node` - - `APIService` - - `TokenReview` - - `SubjectAccessReview` - - `SelfSubjectAccessReview` - - `Binding` - - `ReplicaSet` - - `AdmissionReport` - - `ClusterAdmissionReport` - - `BackgroundScanReport` - - `ClusterBackgroundScanReport` -- all resources created by this chart itself - -Those default exclusions are there to prevent disruptions as much as possible. -Under the hood, Kyverno installs an admission controller for critical cluster resources. -A cluster can become unresponsive if Kyverno is not up and running, ultimately preventing pods to be scheduled in the cluster. - -You can however override the default resource filters by setting the `config.resourceFilters` stanza. -It contains an array of string templates that are passed through the `tpl` Helm function and joined together to produce the final `resourceFilters` written in the Kyverno config map. - -Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list. - -## High availability - -Running a highly-available Kyverno installation is crucial in a production environment. - -In order to run Kyverno in high availability mode, you should set `replicas` to `3` or more for desired components. -You should also pay attention to anti affinity rules, spreading pods across nodes and availability zones. - -Please see https://kyverno.io/docs/installation/#security-vs-operability for more informations. - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.maintainersSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/charts/kyverno/charts/crds/Chart.yaml b/charts/kyverno/charts/crds/Chart.yaml index a640c95f0f..caa4f69fee 100644 --- a/charts/kyverno/charts/crds/Chart.yaml +++ b/charts/kyverno/charts/crds/Chart.yaml @@ -1,3 +1,3 @@ apiVersion: v2 name: crds -version: 3.1.4 +version: 3.4.1 diff --git a/charts/kyverno/charts/crds/README.md b/charts/kyverno/charts/crds/README.md index 732db415e6..c870a24640 100644 --- a/charts/kyverno/charts/crds/README.md +++ b/charts/kyverno/charts/crds/README.md @@ -1,11 +1,15 @@ # crds -![Version: 3.1.4](https://img.shields.io/badge/Version-3.1.4-informational?style=flat-square) +![Version: 3.4.1](https://img.shields.io/badge/Version-3.4.1-informational?style=flat-square) ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| +| groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | This field can be overwritten by setting crds.labels in the parent chart | +| groups.policies | object | `{"imagevalidatingpolicies":true,"policyexceptions":true,"validatingpolicies":true}` | Install CRDs in group `reports.kyverno.io` | +| groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | This field can be overwritten by setting crds.labels in the parent chart | +| groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | This field can be overwritten by setting crds.labels in the parent chart | | annotations | object | `{}` | This field can be overwritten by setting crds.annotations in the parent chart | | customLabels | object | `{}` | This field can be overwritten by setting crds.labels in the parent chart | diff --git a/charts/kyverno/charts/crds/templates/crds.yaml b/charts/kyverno/charts/crds/templates/crds.yaml deleted file mode 100644 index ad6a7c0fa6..0000000000 --- a/charts/kyverno/charts/crds/templates/crds.yaml +++ /dev/null @@ -1,43925 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: admissionreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: AdmissionReport - listKind: AdmissionReportList - plural: admissionreports - shortNames: - - admr - singular: admissionreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.summary.pass - name: PASS - type: integer - - jsonPath: .spec.summary.fail - name: FAIL - type: integer - - jsonPath: .spec.summary.warn - name: WARN - type: integer - - jsonPath: .spec.summary.error - name: ERROR - type: integer - - jsonPath: .spec.summary.skip - name: SKIP - type: integer - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr'] - name: GVR - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name'] - name: REF - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] - name: AGGREGATE - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: AdmissionReport is the Schema for the AdmissionReports API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - owner: - description: Owner is a reference to the report owner (e.g. a Deployment, - Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - x-kubernetes-map-type: atomic - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - required: - - owner - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: backgroundscanreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: BackgroundScanReport - listKind: BackgroundScanReportList - plural: backgroundscanreports - shortNames: - - bgscanr - singular: backgroundscanreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: BackgroundScanReport is the Schema for the BackgroundScanReports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: cleanuppolicies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: CleanupPolicy - listKind: CleanupPolicyList - plural: cleanuppolicies - shortNames: - - cleanpol - singular: cleanuppolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - name: v2alpha1 - schema: - openAPIV3Schema: - description: CleanupPolicy defines a rule for resource cleanup. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. - properties: - data: - description: Data specifies the POST data sent to the server. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2beta1 - schema: - openAPIV3Schema: - description: CleanupPolicy defines a rule for resource cleanup. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. - properties: - data: - description: Data specifies the POST data sent to the server. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: clusteradmissionreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterAdmissionReport - listKind: ClusterAdmissionReportList - plural: clusteradmissionreports - shortNames: - - cadmr - singular: clusteradmissionreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.summary.pass - name: PASS - type: integer - - jsonPath: .spec.summary.fail - name: FAIL - type: integer - - jsonPath: .spec.summary.warn - name: WARN - type: integer - - jsonPath: .spec.summary.error - name: ERROR - type: integer - - jsonPath: .spec.summary.skip - name: SKIP - type: integer - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr'] - name: GVR - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name'] - name: REF - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] - name: AGGREGATE - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterAdmissionReport is the Schema for the ClusterAdmissionReports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - owner: - description: Owner is a reference to the report owner (e.g. a Deployment, - Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - x-kubernetes-map-type: atomic - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - required: - - owner - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: clusterbackgroundscanreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterBackgroundScanReport - listKind: ClusterBackgroundScanReportList - plural: clusterbackgroundscanreports - shortNames: - - cbgscanr - singular: clusterbackgroundscanreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: clustercleanuppolicies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterCleanupPolicy - listKind: ClusterCleanupPolicyList - plural: clustercleanuppolicies - shortNames: - - ccleanpol - singular: clustercleanuppolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - name: v2alpha1 - schema: - openAPIV3Schema: - description: ClusterCleanupPolicy defines rule for resource cleanup. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. - properties: - data: - description: Data specifies the POST data sent to the server. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2beta1 - schema: - openAPIV3Schema: - description: ClusterCleanupPolicy defines rule for resource cleanup. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. - properties: - data: - description: Data specifies the POST data sent to the server. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: clusterpolicies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterPolicy - listKind: ClusterPolicyList - plural: clusterpolicies - shortNames: - - cpol - singular: clusterpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.admission - name: ADMISSION - type: boolean - - jsonPath: .spec.background - name: BACKGROUND - type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.failurePolicy - name: FAILURE POLICY - priority: 1 - type: string - - jsonPath: .status.rulecount.validate - name: VALIDATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: MUTATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: GENERATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: VERIFY IMAGES - priority: 1 - type: integer - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: MESSAGE - type: string - name: v1 - schema: - openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - admission: - default: true - description: Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean - applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. - type: boolean - generateExistingOnPolicyUpdate: - description: Deprecated, use generateExisting instead - type: boolean - mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". - type: boolean - rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. - properties: - data: - description: Data specifies the POST data sent to - the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier for - the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web - service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' - type: string - key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachMutation applies mutation rules to - a list of sub-elements by creating a context for each - entry in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - description: TargetResourceSpec defines targets for mutating - existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the Common - Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for the - audit event of the API request. - items: - description: AuditAnnotation describes how to produce - an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." - type: string - valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' - - The namespace object that the incoming object - belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited - variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform authorization - checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are - escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match - a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting - elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." - type: string - message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind and - Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." - type: string - namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" - type: string - selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context for - each entry in the list and looping over it to apply - the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. - type: object - attestor: - description: Attestor is a nested set of - Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', to - be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. - type: object - attestor: - description: Attestor is a nested set of Attestor - used to specify a more complex set of match - authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one or more public - keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. - type: boolean - useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. - type: boolean - validationFailureAction: - default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array - webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime data. - properties: - autogen: - description: AutogenStatus contains autogen status information. - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule - items: - description: MatchCondition represents a condition which - must by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. - properties: - data: - description: Data specifies the POST data sent - to the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON - web service - properties: - caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' - type: string - key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. - type: object - match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachMutation applies mutation rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - description: TargetResourceSpec defines targets for - mutating existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the - Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for - the audit event of the API request. - items: - description: AuditAnnotation describes how to - produce an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." - type: string - valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object - that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform - authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property - named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property - named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on - arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." - type: string - message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind - and Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." - type: string - namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" - type: string - selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. - type: object - attestor: - description: Attestor is a nested - set of Attestor used to specify - a more complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an - optional PEM encoded set of - certificates used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one - or more public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha224, - sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. - items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', - to be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - type: object - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Deprecated in favor of Conditions - type: boolean - rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - validatingadmissionpolicy: - description: ValidatingAdmissionPolicy contains status information - properties: - generated: - description: Generated indicates whether a validating admission - policy is generated from the policy or not - type: boolean - message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. - type: string - required: - - generated - - message - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.admission - name: ADMISSION - type: boolean - - jsonPath: .spec.background - name: BACKGROUND - type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.failurePolicy - name: FAILURE POLICY - priority: 1 - type: string - - jsonPath: .status.rulecount.validate - name: VALIDATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: MUTATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: GENERATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: VERIFY IMAGES - priority: 1 - type: integer - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: MESSAGE - type: string - name: v2beta1 - schema: - openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - admission: - default: true - description: Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean - applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. - type: boolean - generateExistingOnPolicyUpdate: - description: Deprecated, use generateExisting instead - type: boolean - mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". - type: boolean - rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. - properties: - data: - description: Data specifies the POST data sent to - the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier for - the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web - service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' - type: string - key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachMutation applies mutation rules to - a list of sub-elements by creating a context for each - entry in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - description: TargetResourceSpec defines targets for mutating - existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the Common - Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for the - audit event of the API request. - items: - description: AuditAnnotation describes how to produce - an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." - type: string - valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' - - The namespace object that the incoming object - belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited - variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform authorization - checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are - escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match - a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting - elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." - type: string - message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind and - Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." - type: string - namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" - type: string - selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context for - each entry in the list and looping over it to apply - the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. - type: object - attestor: - description: Attestor is a nested set of - Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', to - be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. - type: object - attestor: - description: Attestor is a nested set of Attestor - used to specify a more complex set of match - authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one or more public - keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. - items: - type: string - type: array - type: object - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. - type: boolean - useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. - type: boolean - validationFailureAction: - default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array - webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime data. - properties: - autogen: - description: AutogenStatus contains autogen status information. - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule - items: - description: MatchCondition represents a condition which - must by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. - properties: - data: - description: Data specifies the POST data sent - to the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON - web service - properties: - caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' - type: string - key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. - type: object - match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachMutation applies mutation rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - description: TargetResourceSpec defines targets for - mutating existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the - Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for - the audit event of the API request. - items: - description: AuditAnnotation describes how to - produce an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." - type: string - valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object - that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform - authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property - named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property - named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on - arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." - type: string - message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind - and Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." - type: string - namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" - type: string - selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. - type: object - attestor: - description: Attestor is a nested - set of Attestor used to specify - a more complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an - optional PEM encoded set of - certificates used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one - or more public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha224, - sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. - items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', - to be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - type: object - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Deprecated in favor of Conditions - type: boolean - rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - validatingadmissionpolicy: - description: ValidatingAdmissionPolicy contains status information - properties: - generated: - description: Generated indicates whether a validating admission - policy is generated from the policy or not - type: boolean - message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. - type: string - required: - - generated - - message - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: policies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: Policy - listKind: PolicyList - plural: policies - shortNames: - - pol - singular: policy - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.admission - name: ADMISSION - type: boolean - - jsonPath: .spec.background - name: BACKGROUND - type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.failurePolicy - name: FAILURE POLICY - priority: 1 - type: string - - jsonPath: .status.rulecount.validate - name: VALIDATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: MUTATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: GENERATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: VERIFY IMAGES - priority: 1 - type: integer - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: MESSAGE - type: string - name: v1 - schema: - openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines policy behaviors and contains one or more rules. - properties: - admission: - default: true - description: Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean - applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. - type: boolean - generateExistingOnPolicyUpdate: - description: Deprecated, use generateExisting instead - type: boolean - mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". - type: boolean - rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. - properties: - data: - description: Data specifies the POST data sent to - the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier for - the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web - service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' - type: string - key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachMutation applies mutation rules to - a list of sub-elements by creating a context for each - entry in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - description: TargetResourceSpec defines targets for mutating - existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the Common - Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for the - audit event of the API request. - items: - description: AuditAnnotation describes how to produce - an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." - type: string - valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' - - The namespace object that the incoming object - belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited - variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform authorization - checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are - escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match - a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting - elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." - type: string - message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind and - Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." - type: string - namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" - type: string - selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context for - each entry in the list and looping over it to apply - the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. - type: object - attestor: - description: Attestor is a nested set of - Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', to - be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. - type: object - attestor: - description: Attestor is a nested set of Attestor - used to specify a more complex set of match - authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one or more public - keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. - type: boolean - useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. - type: boolean - validationFailureAction: - default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array - webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Deprecated. Policy metrics are available via the metrics - endpoint - properties: - autogen: - description: AutogenStatus contains autogen status information. - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule - items: - description: MatchCondition represents a condition which - must by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. - properties: - data: - description: Data specifies the POST data sent - to the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON - web service - properties: - caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' - type: string - key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. - type: object - match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachMutation applies mutation rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - description: TargetResourceSpec defines targets for - mutating existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the - Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for - the audit event of the API request. - items: - description: AuditAnnotation describes how to - produce an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." - type: string - valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object - that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform - authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property - named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property - named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on - arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." - type: string - message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind - and Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." - type: string - namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" - type: string - selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. - type: object - attestor: - description: Attestor is a nested - set of Attestor used to specify - a more complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an - optional PEM encoded set of - certificates used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one - or more public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha224, - sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. - items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', - to be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - type: object - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Deprecated in favor of Conditions - type: boolean - rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - validatingadmissionpolicy: - description: ValidatingAdmissionPolicy contains status information - properties: - generated: - description: Generated indicates whether a validating admission - policy is generated from the policy or not - type: boolean - message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. - type: string - required: - - generated - - message - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.admission - name: ADMISSION - type: boolean - - jsonPath: .spec.background - name: BACKGROUND - type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.failurePolicy - name: FAILURE POLICY - priority: 1 - type: string - - jsonPath: .status.rulecount.validate - name: VALIDATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: MUTATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: GENERATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: VERIFY IMAGES - priority: 1 - type: integer - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: MESSAGE - type: string - name: v2beta1 - schema: - openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines policy behaviors and contains one or more rules. - properties: - admission: - default: true - description: Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean - applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. - type: boolean - generateExistingOnPolicyUpdate: - description: Deprecated, use generateExisting instead - type: boolean - mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". - type: boolean - rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. - properties: - data: - description: Data specifies the POST data sent to - the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier for - the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON web - service - properties: - caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' - type: string - key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachMutation applies mutation rules to - a list of sub-elements by creating a context for each - entry in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - description: TargetResourceSpec defines targets for mutating - existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the Common - Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for the - audit event of the API request. - items: - description: AuditAnnotation describes how to produce - an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." - type: string - valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' - - The namespace object that the incoming object - belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited - variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform authorization - checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are - escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match - a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting - elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." - type: string - message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind and - Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." - type: string - namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" - type: string - selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context for - each entry in the list and looping over it to apply - the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. - properties: - data: - description: Data specifies the POST data - sent to the server. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a - JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate - the server certificate. - type: string - url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. - type: object - attestor: - description: Attestor is a nested set of - Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', to - be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. - type: object - attestor: - description: Attestor is a nested set of Attestor - used to specify a more complex set of match - authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one or more public - keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. - items: - type: string - type: array - type: object - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. - type: boolean - useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. - type: boolean - validationFailureAction: - default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array - webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime data. - properties: - autogen: - description: AutogenStatus contains autogen status information. - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. - properties: - celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule - items: - description: MatchCondition represents a condition which - must by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." - type: string - name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. - properties: - data: - description: Data specifies the POST data sent - to the server. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call to a JSON - web service - properties: - caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. - type: string - url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' - type: string - key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. - type: object - match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachMutation applies mutation rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - description: TargetResourceSpec defines targets for - mutating existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the - Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for - the audit event of the API request. - items: - description: AuditAnnotation describes how to - produce an audit annotation for an API request. - properties: - key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." - type: string - valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object - that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' - - A CEL Authorizer. May be used to perform - authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property - named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property - named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on - arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." - type: string - message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' - type: string - messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' - type: string - reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind - and Version. - properties: - apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". - Required. - type: string - kind: - description: Kind is the API kind the resources - belong to. Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." - type: string - namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." - type: string - parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" - type: string - selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. - type: string - name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. - properties: - data: - description: Data specifies the POST - data sent to the server. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: Service is an API call - to a JSON web service - properties: - caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. - type: string - url: - description: URL is the JSON web - service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities). - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. - type: object - attestor: - description: Attestor is a nested - set of Attestor used to specify - a more complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an - optional PEM encoded set of - certificates used to verify. - type: string - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one - or more public keys. - properties: - ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha224, - sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. - items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', - to be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. - properties: - ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - type: object - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Deprecated in favor of Conditions - type: boolean - rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - validatingadmissionpolicy: - description: ValidatingAdmissionPolicy contains status information - properties: - generated: - description: Generated indicates whether a validating admission - policy is generated from the policy or not - type: boolean - message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. - type: string - required: - - generated - - message - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: policyexceptions.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: PolicyException - listKind: PolicyExceptionList - plural: policyexceptions - shortNames: - - polex - singular: policyexception - scope: Namespaced - versions: - - deprecated: true - name: v2alpha1 - schema: - openAPIV3Schema: - description: PolicyException declares resources to be excluded from specified - policies. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy exception behaviors. - properties: - background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - exceptions: - description: Exceptions is a list policy/rules to be excluded - items: - description: Exception stores infos about a policy and rules - properties: - policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. - type: string - ruleNames: - description: RuleNames identifies the rules to which the exception - is applied. - items: - type: string - type: array - required: - - policyName - - ruleNames - type: object - type: array - match: - description: Match defines match clause used to check if a resource - applies to the exception - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - required: - - exceptions - - match - type: object - required: - - spec - type: object - served: true - storage: false - - name: v2beta1 - schema: - openAPIV3Schema: - description: PolicyException declares resources to be excluded from specified - policies. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy exception behaviors. - properties: - background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - exceptions: - description: Exceptions is a list policy/rules to be excluded - items: - description: Exception stores infos about a policy and rules - properties: - policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. - type: string - ruleNames: - description: RuleNames identifies the rules to which the exception - is applied. - items: - type: string - type: array - required: - - policyName - - ruleNames - type: object - type: array - match: - description: Match defines match clause used to check if a resource - applies to the exception - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - required: - - exceptions - - match - type: object - required: - - spec - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: updaterequests.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: UpdateRequest - listKind: UpdateRequestList - plural: updaterequests - shortNames: - - ur - singular: updaterequest - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.policy - name: Policy - type: string - - jsonPath: .spec.requestType - name: RuleType - type: string - - jsonPath: .spec.resource.kind - name: ResourceKind - type: string - - jsonPath: .spec.resource.name - name: ResourceName - type: string - - jsonPath: .spec.resource.namespace - name: ResourceNamespace - type: string - - jsonPath: .status.state - name: status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: UpdateRequest is a request to process mutate and generate rules - in background. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ResourceSpec is the information to identify the trigger resource. - properties: - context: - description: Context ... - properties: - admissionRequestInfo: - description: AdmissionRequestInfoObject stores the admission request - and operation details - properties: - admissionRequest: - description: AdmissionRequest describes the admission.Attributes - for the admission request. - properties: - dryRun: - description: DryRun indicates that modifications will - definitely not be persisted for this request. Defaults - to false. - type: boolean - kind: - description: Kind is the fully-qualified type of object - being submitted (for example, v1.Pod or autoscaling.v1.Scale) - properties: - group: - type: string - kind: - type: string - version: - type: string - required: - - group - - kind - - version - type: object - name: - description: Name is the name of the object as presented - in the request. On a CREATE operation, the client may - omit name and rely on the server to generate the name. If - that is the case, this field will contain an empty string. - type: string - namespace: - description: Namespace is the namespace associated with - the request (if any). - type: string - object: - description: Object is the object from the incoming request. - type: object - x-kubernetes-preserve-unknown-fields: true - oldObject: - description: OldObject is the existing object. Only populated - for DELETE and UPDATE requests. - type: object - x-kubernetes-preserve-unknown-fields: true - operation: - description: Operation is the operation being performed. - This may be different than the operation requested. - e.g. a patch can result in either a CREATE or UPDATE - Operation. - type: string - options: - description: Options is the operation option structure - of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` - or `meta.k8s.io/v1.CreateOptions`. This may be different - than the options the caller provided. e.g. for a patch - request the performed Operation might be a CREATE, in - which case the Options will a `meta.k8s.io/v1.CreateOptions` - even though the caller provided `meta.k8s.io/v1.PatchOptions`. - type: object - x-kubernetes-preserve-unknown-fields: true - requestKind: - description: "RequestKind is the fully-qualified type - of the original API request (for example, v1.Pod or - autoscaling.v1.Scale). If this is specified and differs - from the value in \"kind\", an equivalent match and - conversion was performed. \n For example, if deployments - can be modified via apps/v1 and apps/v1beta1, and a - webhook registered a rule of `apiGroups:[\"apps\"], - apiVersions:[\"v1\"], resources: [\"deployments\"]` - and `matchPolicy: Equivalent`, an API request to apps/v1beta1 - deployments would be converted and sent to the webhook - with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` - (matching the rule the webhook registered for), and - `requestKind: {group:\"apps\", version:\"v1beta1\", - kind:\"Deployment\"}` (indicating the kind of the original - API request). \n See documentation for the \"matchPolicy\" - field in the webhook configuration type for more details." - properties: - group: - type: string - kind: - type: string - version: - type: string - required: - - group - - kind - - version - type: object - requestResource: - description: "RequestResource is the fully-qualified resource - of the original API request (for example, v1.pods). - If this is specified and differs from the value in \"resource\", - an equivalent match and conversion was performed. \n - For example, if deployments can be modified via apps/v1 - and apps/v1beta1, and a webhook registered a rule of - `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: - [\"deployments\"]` and `matchPolicy: Equivalent`, an - API request to apps/v1beta1 deployments would be converted - and sent to the webhook with `resource: {group:\"apps\", - version:\"v1\", resource:\"deployments\"}` (matching - the resource the webhook registered for), and `requestResource: - {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` - (indicating the resource of the original API request). - \n See documentation for the \"matchPolicy\" field in - the webhook configuration type." - properties: - group: - type: string - resource: - type: string - version: - type: string - required: - - group - - resource - - version - type: object - requestSubResource: - description: RequestSubResource is the name of the subresource - of the original API request, if any (for example, "status" - or "scale") If this is specified and differs from the - value in "subResource", an equivalent match and conversion - was performed. See documentation for the "matchPolicy" - field in the webhook configuration type. - type: string - resource: - description: Resource is the fully-qualified resource - being requested (for example, v1.pods) - properties: - group: - type: string - resource: - type: string - version: - type: string - required: - - group - - resource - - version - type: object - subResource: - description: SubResource is the subresource being requested, - if any (for example, "status" or "scale") - type: string - uid: - description: UID is an identifier for the individual request/response. - It allows us to distinguish instances of requests which - are otherwise identical (parallel requests, requests - when earlier requests did not modify etc) The UID is - meant to track the round trip (request/response) between - the KAS and the WebHook, not the user request. It is - suitable for correlating log entries between the webhook - and apiserver, for either auditing or debugging. - type: string - userInfo: - description: UserInfo is information about the requesting - user - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf - can generate - items: - type: string - type: array - description: Any additional information provided by - the authenticator. - type: object - groups: - description: The names of groups this user is a part - of. - items: - type: string - type: array - uid: - description: A unique value that identifies this user - across time. If this user is deleted and another - user by the same name is added, they will have different - UIDs. - type: string - username: - description: The name that uniquely identifies this - user among all active users. - type: string - type: object - required: - - kind - - operation - - resource - - uid - - userInfo - type: object - operation: - description: Operation is the type of resource operation being - checked for admission control - type: string - type: object - userInfo: - description: RequestInfo contains permission info carried in an - admission request. - properties: - clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. - items: - type: string - nullable: true - type: array - roles: - description: Roles is a list of possible role send the request. - items: - type: string - nullable: true - type: array - userInfo: - description: UserInfo is the userInfo carried in the admission - request. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf - can generate - items: - type: string - type: array - description: Any additional information provided by the - authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. - type: string - username: - description: The name that uniquely identifies this user - among all active users. - type: string - type: object - type: object - type: object - deleteDownstream: - description: DeleteDownstream represents whether the downstream needs - to be deleted. - type: boolean - policy: - description: Specifies the name of the policy. - type: string - requestType: - description: Type represents request type for background processing - enum: - - mutate - - generate - type: string - resource: - description: ResourceSpec is the information to identify the trigger - resource. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - uid: - description: UID specifies the resource uid. - type: string - type: object - rule: - description: Rule is the associate rule name of the current UR. - type: string - synchronize: - description: Synchronize represents the sync behavior of the corresponding - rule Optional. Defaults to "false" if not specified. - type: boolean - required: - - context - - deleteDownstream - - policy - - resource - - rule - type: object - status: - description: Status contains statistics related to update request. - properties: - generatedResources: - description: This will track the resources that are updated by the - generate Policy. Will be used during clean up resources. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - handler: - description: Deprecated - type: string - message: - description: Specifies request status message. - type: string - retryCount: - type: integer - state: - description: State represents state of the update request. - type: string - required: - - state - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: clusterpolicyreports.wgpolicyk8s.io -spec: - group: wgpolicyk8s.io - names: - kind: ClusterPolicyReport - listKind: ClusterPolicyReportList - plural: clusterpolicyreports - shortNames: - - cpolr - singular: clusterpolicyreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - type: string - - jsonPath: .scope.name - name: Name - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for the - policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the - policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked Kubernetes - resources - items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within the - policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - name: policyreports.wgpolicyk8s.io -spec: - group: wgpolicyk8s.io - names: - kind: PolicyReport - listKind: PolicyReportList - plural: policyreports - shortNames: - - polr - singular: policyreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - type: string - - jsonPath: .scope.name - name: Name - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: PolicyReport is the Schema for the policyreports API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for the - policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the - policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked Kubernetes - resources - items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within the - policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml new file mode 100644 index 0000000000..8b6462028c --- /dev/null +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml @@ -0,0 +1,2612 @@ +{{- if .Values.groups.kyverno.cleanuppolicies }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: cleanuppolicies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: CleanupPolicy + listKind: CleanupPolicyList + plural: cleanuppolicies + shortNames: + - cleanpol + singular: cleanuppolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: CleanupPolicy defines a rule for resource cleanup. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP headers + to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference to a + cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deletionPropagationPolicy: + description: DeletionPropagationPolicy defines how resources will + be deleted (Foreground, Background, Orphan). + enum: + - Foreground + - Background + - Orphan + type: string + exclude: + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - match + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v2beta1 + schema: + openAPIV3Schema: + description: CleanupPolicy defines a rule for resource cleanup. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP headers + to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference to a + cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deletionPropagationPolicy: + description: DeletionPropagationPolicy defines how resources will + be deleted (Foreground, Background, Orphan). + enum: + - Foreground + - Background + - Orphan + type: string + exclude: + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - match + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml new file mode 100644 index 0000000000..833b2b5fde --- /dev/null +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml @@ -0,0 +1,2612 @@ +{{- if .Values.groups.kyverno.clustercleanuppolicies }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: clustercleanuppolicies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: ClusterCleanupPolicy + listKind: ClusterCleanupPolicyList + plural: clustercleanuppolicies + shortNames: + - ccleanpol + singular: clustercleanuppolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: ClusterCleanupPolicy defines rule for resource cleanup. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP headers + to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference to a + cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deletionPropagationPolicy: + description: DeletionPropagationPolicy defines how resources will + be deleted (Foreground, Background, Orphan). + enum: + - Foreground + - Background + - Orphan + type: string + exclude: + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - match + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v2beta1 + schema: + openAPIV3Schema: + description: ClusterCleanupPolicy defines rule for resource cleanup. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP headers + to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference to a + cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deletionPropagationPolicy: + description: DeletionPropagationPolicy defines how resources will + be deleted (Foreground, Background, Orphan). + enum: + - Foreground + - Background + - Orphan + type: string + exclude: + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - match + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml new file mode 100644 index 0000000000..a0f96a4cd6 --- /dev/null +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -0,0 +1,20317 @@ +{{- if .Values.groups.kyverno.clusterpolicies }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: clusterpolicies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: ClusterPolicy + listKind: ClusterPolicyList + plural: clusterpolicies + shortNames: + - cpol + singular: clusterpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v1 + schema: + openAPIV3Schema: + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + admission: + default: true + description: |- + Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + emitWarning: + default: false + description: |- + EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit. + Enabling this option will extend admission request processing times. The default value is "false". + type: boolean + failurePolicy: + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: Deprecated, use generateExisting under the generate rule + instead + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: Deprecated, use mutateExistingOnPolicyUpdate under the + mutate rule instead + type: boolean + rules: + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP + headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if the + mutateExisting rule will be applied on policy events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + reportProperties: + additionalProperties: + type: string + description: ReportProperties are the additional properties + from the rule that will be added to the policy report result + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting violating + resources to continue violating a policy. + type: boolean + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is defined + as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of + Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of Attestor + used to specify a more complex set of match + authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one or more public + keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for + public keys. Supported values are sha224, + sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + cosignOCI11: + description: |- + CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. + Defaults to false. + type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message to + be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + schemaValidation: + description: Deprecated. + type: boolean + useServerSideApply: + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: Deprecated, use validationFailureAction under the validate + rule instead. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookConfiguration: + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. + properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + matchConditions: + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + webhookTimeoutSeconds: + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if + the mutateExisting rule will be applied on policy + events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + reportProperties: + additionalProperties: + type: string + description: ReportProperties are the additional properties + from the rule that will be added to the policy report + result + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion + tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables:\n\n- 'object' - The object from + the incoming request. The value is null + for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE + requests.\n- 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"}\n - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is + defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested + set of Attestor used to specify + a more complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an + optional PEM encoded set of + certificates used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one + or more public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use + attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + cosignOCI11: + description: |- + CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. + Defaults to false. + type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message + to be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + type: object + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. + type: string + required: + - generated + - message + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v2beta1 + schema: + openAPIV3Schema: + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + admission: + default: true + description: |- + Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + emitWarning: + default: false + description: |- + EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit. + Enabling this option will extend admission request processing times. The default value is "false". + type: boolean + failurePolicy: + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: Deprecated, use generateExisting under the generate rule + instead + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: Deprecated, use mutateExistingOnPolicyUpdate under the + mutate rule instead + type: boolean + rules: + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP + headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if the + mutateExisting rule will be applied on policy events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is defined + as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of + Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of Attestor + used to specify a more complex set of match + authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one or more public + keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for + public keys. Supported values are sha224, + sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message to + be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + schemaValidation: + description: Deprecated. + type: boolean + useServerSideApply: + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: Deprecated, use validationFailureAction under the validate + rule instead. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookConfiguration: + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. + properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + matchConditions: + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + webhookTimeoutSeconds: + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if + the mutateExisting rule will be applied on policy + events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + reportProperties: + additionalProperties: + type: string + description: ReportProperties are the additional properties + from the rule that will be added to the policy report + result + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion + tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables:\n\n- 'object' - The object from + the incoming request. The value is null + for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE + requests.\n- 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"}\n - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is + defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested + set of Attestor used to specify + a more complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an + optional PEM encoded set of + certificates used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one + or more public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use + attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + cosignOCI11: + description: |- + CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. + Defaults to false. + type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message + to be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + type: object + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. + type: string + required: + - generated + - message + type: object + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml new file mode 100644 index 0000000000..eaa328ee23 --- /dev/null +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml @@ -0,0 +1,280 @@ +{{- if .Values.groups.kyverno.globalcontextentries }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: globalcontextentries.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: GlobalContextEntry + listKind: GlobalContextEntryList + plural: globalcontextentries + shortNames: + - gctxentry + singular: globalcontextentry + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.apiCall.refreshInterval + name: REFRESH INTERVAL + type: string + - jsonPath: .status.lastRefreshTime + name: LAST REFRESH + type: date + name: v2alpha1 + schema: + openAPIV3Schema: + description: GlobalContextEntry declares resources to be cached. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy exception behaviors. + oneOf: + - required: + - kubernetesResource + - required: + - apiCall + properties: + apiCall: + description: |- + Stores results from an API call which will be cached. + Mutually exclusive with KubernetesResource. + This can be used to make calls to external (non-Kubernetes API server) services. + It can also be used to make calls to the Kubernetes API server in such cases: + 1. A POST is needed to create a resource. + 2. Finer-grained control is needed. Example: To restrict the number of resources cached. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + method: + default: GET + description: Method is the HTTP request type (GET or POST). Defaults + to GET. + enum: + - GET + - POST + type: string + refreshInterval: + default: 10m + description: |- + RefreshInterval defines the interval in duration at which to poll the APICall. + The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix, + such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + format: duration + type: string + retryLimit: + default: 3 + description: RetryLimit defines the number of times the APICall + should be retried in case of failure. + minimum: 1 + type: integer + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP headers to + be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + kubernetesResource: + description: |- + Stores a list of Kubernetes resources which will be cached. + Mutually exclusive with APICall. + properties: + group: + description: Group defines the group of the resource. + type: string + namespace: + description: |- + Namespace defines the namespace of the resource. Leave empty for cluster scoped resources. + If left empty for namespaced resources, all resources from all namespaces will be cached. + type: string + resource: + description: |- + Resource defines the type of the resource. + Requires the pluralized form of the resource kind in lowercase. (Ex., "deployments") + type: string + version: + description: Version defines the version of the resource. + type: string + required: + - resource + - version + type: object + projections: + description: Projections defines the list of JMESPath expressions + to extract values from the cached resource. + items: + properties: + jmesPath: + description: JMESPath is the JMESPath expression to extract + the value from the cached resource. + type: string + name: + description: Name is the name to use for the extracted value + in the context. + type: string + required: + - jmesPath + - name + type: object + type: array + type: object + status: + description: Status contains globalcontextentry runtime data. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastRefreshTime: + description: Indicates the time when the globalcontextentry was last + refreshed successfully for the API Call + format: date-time + type: string + ready: + description: Deprecated in favor of Conditions + type: boolean + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml new file mode 100644 index 0000000000..22270dd048 --- /dev/null +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -0,0 +1,20320 @@ +{{- if .Values.groups.kyverno.policies }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: policies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines policy behaviors and contains one or more rules. + properties: + admission: + default: true + description: |- + Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + emitWarning: + default: false + description: |- + EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit. + Enabling this option will extend admission request processing times. The default value is "false". + type: boolean + failurePolicy: + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: Deprecated, use generateExisting under the generate rule + instead + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: Deprecated, use mutateExistingOnPolicyUpdate under the + mutate rule instead + type: boolean + rules: + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP + headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if the + mutateExisting rule will be applied on policy events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + reportProperties: + additionalProperties: + type: string + description: ReportProperties are the additional properties + from the rule that will be added to the policy report result + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting violating + resources to continue violating a policy. + type: boolean + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is defined + as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of + Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of Attestor + used to specify a more complex set of match + authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one or more public + keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for + public keys. Supported values are sha224, + sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + cosignOCI11: + description: |- + CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. + Defaults to false. + type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message to + be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + schemaValidation: + description: Deprecated. + type: boolean + useServerSideApply: + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: Deprecated, use validationFailureAction under the validate + rule instead. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookConfiguration: + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. + properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + matchConditions: + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + webhookTimeoutSeconds: + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. + format: int32 + type: integer + type: object + status: + description: Deprecated. Policy metrics are available via the metrics + endpoint + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if + the mutateExisting rule will be applied on policy + events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + reportProperties: + additionalProperties: + type: string + description: ReportProperties are the additional properties + from the rule that will be added to the policy report + result + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion + tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables:\n\n- 'object' - The object from + the incoming request. The value is null + for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE + requests.\n- 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"}\n - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is + defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested + set of Attestor used to specify + a more complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an + optional PEM encoded set of + certificates used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one + or more public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use + attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + cosignOCI11: + description: |- + CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. + Defaults to false. + type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message + to be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + type: object + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. + type: string + required: + - generated + - message + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v2beta1 + schema: + openAPIV3Schema: + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines policy behaviors and contains one or more rules. + properties: + admission: + default: true + description: |- + Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + emitWarning: + default: false + description: |- + EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit. + Enabling this option will extend admission request processing times. The default value is "false". + type: boolean + failurePolicy: + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: Deprecated, use generateExisting under the generate rule + instead + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: Deprecated, use mutateExistingOnPolicyUpdate under the + mutate rule instead + type: boolean + rules: + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP + headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if the + mutateExisting rule will be applied on policy events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is defined + as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of + Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of Attestor + used to specify a more complex set of match + authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one or more public + keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for + public keys. Supported values are sha224, + sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message to + be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + schemaValidation: + description: Deprecated. + type: boolean + useServerSideApply: + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: Deprecated, use validationFailureAction under the validate + rule instead. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookConfiguration: + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. + properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + matchConditions: + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + webhookTimeoutSeconds: + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if + the mutateExisting rule will be applied on policy + events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + reportProperties: + additionalProperties: + type: string + description: ReportProperties are the additional properties + from the rule that will be added to the policy report + result + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion + tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables:\n\n- 'object' - The object from + the incoming request. The value is null + for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE + requests.\n- 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"}\n - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is + defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested + set of Attestor used to specify + a more complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an + optional PEM encoded set of + certificates used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one + or more public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use + attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + cosignOCI11: + description: |- + CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. + Defaults to false. + type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message + to be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + type: object + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. + type: string + required: + - generated + - message + type: object + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml new file mode 100644 index 0000000000..f5b1fb6b59 --- /dev/null +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml @@ -0,0 +1,1308 @@ +{{- if .Values.groups.kyverno.policyexceptions }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: policyexceptions.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: PolicyException + listKind: PolicyExceptionList + plural: policyexceptions + shortNames: + - polex + singular: policyexception + scope: Namespaced + versions: + - name: v2 + schema: + openAPIV3Schema: + description: PolicyException declares resources to be excluded from specified + policies. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy exception behaviors. + properties: + background: + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + conditions: + description: |- + Conditions are used to determine if a resource applies to the exception by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + exceptions: + description: Exceptions is a list policy/rules to be excluded + items: + description: Exception stores infos about a policy and rules + properties: + policyName: + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. + type: string + ruleNames: + description: RuleNames identifies the rules to which the exception + is applied. + items: + type: string + type: array + required: + - policyName + - ruleNames + type: object + type: array + match: + description: Match defines match clause used to check if a resource + applies to the exception + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + podSecurity: + description: |- + PodSecurity specifies the Pod Security Standard controls to be excluded. + Applicable only to policies that have validate.podSecurity subrule. + items: + description: PodSecurityStandard specifies the Pod Security Standard + controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + required: + - exceptions + - match + type: object + required: + - spec + type: object + served: true + storage: true + - deprecated: true + name: v2beta1 + schema: + openAPIV3Schema: + description: PolicyException declares resources to be excluded from specified + policies. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy exception behaviors. + properties: + background: + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + conditions: + description: |- + Conditions are used to determine if a resource applies to the exception by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + exceptions: + description: Exceptions is a list policy/rules to be excluded + items: + description: Exception stores infos about a policy and rules + properties: + policyName: + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. + type: string + ruleNames: + description: RuleNames identifies the rules to which the exception + is applied. + items: + type: string + type: array + required: + - policyName + - ruleNames + type: object + type: array + match: + description: Match defines match clause used to check if a resource + applies to the exception + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + podSecurity: + description: |- + PodSecurity specifies the Pod Security Standard controls to be excluded. + Applicable only to policies that have validate.podSecurity subrule. + items: + description: PodSecurityStandard specifies the Pod Security Standard + controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + required: + - exceptions + - match + type: object + required: + - spec + type: object + served: true + storage: false +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml new file mode 100644 index 0000000000..738caed4f8 --- /dev/null +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml @@ -0,0 +1,838 @@ +{{- if .Values.groups.kyverno.updaterequests }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: updaterequests.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: UpdateRequest + listKind: UpdateRequestList + plural: updaterequests + shortNames: + - ur + singular: updaterequest + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.rule + name: Rule + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v1beta1 + schema: + openAPIV3Schema: + description: UpdateRequest is a request to process mutate and generate rules + in background. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSpec is the information to identify the trigger resource. + properties: + context: + description: Context ... + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + description: AdmissionRequest describes the admission.Attributes + for the admission request. + properties: + dryRun: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + kind: + description: Kind is the fully-qualified type of object + being submitted (for example, v1.Pod or autoscaling.v1.Scale) + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + name: + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. + type: string + namespace: + description: Namespace is the namespace associated with + the request (if any). + type: string + object: + description: Object is the object from the incoming request. + type: object + x-kubernetes-preserve-unknown-fields: true + oldObject: + description: OldObject is the existing object. Only populated + for DELETE and UPDATE requests. + type: object + x-kubernetes-preserve-unknown-fields: true + operation: + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + type: string + options: + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + type: object + x-kubernetes-preserve-unknown-fields: true + requestKind: + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + requestResource: + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + See documentation for the "matchPolicy" field in the webhook configuration type. + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + requestSubResource: + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. + type: string + resource: + description: Resource is the fully-qualified resource + being requested (for example, v1.pods) + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + subResource: + description: SubResource is the subresource being requested, + if any (for example, "status" or "scale") + type: string + uid: + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + type: string + userInfo: + description: UserInfo is information about the requesting + user + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by + the authenticator. + type: object + groups: + description: The names of groups this user is a part + of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this + user among all active users. + type: string + type: object + required: + - kind + - operation + - resource + - uid + - userInfo + type: object + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + deleteDownstream: + description: DeleteDownstream represents whether the downstream needs + to be deleted. + type: boolean + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the trigger + resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + rule: + description: Rule is the associate rule name of the current UR. + type: string + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + type: boolean + required: + - context + - deleteDownstream + - policy + - resource + - rule + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + handler: + description: Deprecated + type: string + message: + description: Specifies request status message. + type: string + retryCount: + type: integer + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: UpdateRequest is a request to process mutate and generate rules + in background. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSpec is the information to identify the trigger resource. + properties: + context: + description: |- + Context represents admission request context. + It is used upon admission review only and is shared across rules within the same UR. + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + description: AdmissionRequest describes the admission.Attributes + for the admission request. + properties: + dryRun: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + kind: + description: Kind is the fully-qualified type of object + being submitted (for example, v1.Pod or autoscaling.v1.Scale) + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + name: + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. + type: string + namespace: + description: Namespace is the namespace associated with + the request (if any). + type: string + object: + description: Object is the object from the incoming request. + type: object + x-kubernetes-preserve-unknown-fields: true + oldObject: + description: OldObject is the existing object. Only populated + for DELETE and UPDATE requests. + type: object + x-kubernetes-preserve-unknown-fields: true + operation: + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + type: string + options: + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + type: object + x-kubernetes-preserve-unknown-fields: true + requestKind: + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + requestResource: + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + See documentation for the "matchPolicy" field in the webhook configuration type. + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + requestSubResource: + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. + type: string + resource: + description: Resource is the fully-qualified resource + being requested (for example, v1.pods) + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + subResource: + description: SubResource is the subresource being requested, + if any (for example, "status" or "scale") + type: string + uid: + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + type: string + userInfo: + description: UserInfo is information about the requesting + user + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by + the authenticator. + type: object + groups: + description: The names of groups this user is a part + of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this + user among all active users. + type: string + type: object + required: + - kind + - operation + - resource + - uid + - userInfo + type: object + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + synchronize: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + deleteDownstream: + description: |- + DeleteDownstream represents whether the downstream needs to be deleted. + Deprecated + type: boolean + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the trigger + resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + rule: + description: Rule is the associate rule name of the current UR. + type: string + ruleContext: + description: |- + RuleContext is the associate context to apply rules. + optional + items: + properties: + deleteDownstream: + description: DeleteDownstream represents whether the downstream + needs to be deleted. + type: boolean + rule: + description: Rule is the associate rule name of the current + UR. + type: string + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + type: boolean + trigger: + description: ResourceSpec is the information to identify the + trigger resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + required: + - deleteDownstream + - rule + - trigger + type: object + type: array + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + Deprecated, will be removed in 1.14. + type: boolean + required: + - context + - deleteDownstream + - policy + - resource + - rule + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + message: + description: Specifies request status message. + type: string + retryCount: + type: integer + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_imagevalidatingpolicies.yaml b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_imagevalidatingpolicies.yaml new file mode 100644 index 0000000000..42e8fd9565 --- /dev/null +++ b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_imagevalidatingpolicies.yaml @@ -0,0 +1,2241 @@ +{{- if .Values.groups.policies.imagevalidatingpolicies }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: imagevalidatingpolicies.policies.kyverno.io +spec: + group: policies.kyverno.io + names: + categories: + - kyverno + kind: ImageValidatingPolicy + listKind: ImageValidatingPolicyList + plural: imagevalidatingpolicies + shortNames: + - ivpol + singular: imagevalidatingpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .status.conditionStatus.ready + name: READY + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ImageValidatingPolicySpec is the specification of the desired + behavior of the ImageValidatingPolicy. + properties: + attestations: + description: Attestations provides a list of image metadata to verify + items: + description: Attestation defines the identification details of the metadata + that has to be verified + properties: + intoto: + description: InToto defines the details of attestation attached + using intoto format + properties: + type: + description: Type defines the type of attestation contained + within the statement. + type: string + required: + - type + type: object + name: + description: Name is the name for this attestation. It is used + to refer to the attestation in verification + type: string + referrer: + description: Referrer defines the details of attestation attached + using OCI 1.1 format + properties: + type: + description: Type defines the type of attestation attached + to the image. + type: string + required: + - type + type: object + required: + - name + type: object + type: array + attestors: + description: Attestors provides a list of trusted authorities. + items: + description: Attestor is an identity that confirms or verifies the + authenticity of an image or an attestation + properties: + cosign: + description: Cosign defines attestor configuration for Cosign + based signatures + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + certificate: + description: Certificate defines the configuration for local + signature verification + properties: + cert: + description: Certificate is the to the public certificate + for local signature verification. + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the a CEL expression + input. + type: string + value: + description: Value defines the raw string input. + type: string + type: object + certChain: + description: |- + CertificateChain is the list of CA certificates in PEM format which will be needed + when building the certificate chain for the signing certificate. Must start with the + parent intermediate CA certificate of the signing certificate and end with the root certificate + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the a CEL expression + input. + type: string + value: + description: Value defines the raw string input. + type: string + type: object + type: object + ctlog: + description: CTLog sets the configuration to verify the + authority against a Rekor instance. + properties: + ctLogPubKey: + description: CTLogPubKey, if set, is used to validate + SCTs against a custom source. + type: string + insecureIgnoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + insecureIgnoreTlog: + description: InsecureIgnoreTlog skips transparency log + verification. + type: boolean + rekorPubKey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + url: + description: URL sets the url to the rekor instance + (by default the public rekor.sigstore.dev) + type: string + type: object + key: + description: Key defines the type of key to validate the + image. + properties: + data: + description: Data contains the inline public key + type: string + expression: + description: Expression is a Expression expression that + returns the public key. + type: string + hashAlgorithm: + description: |- + HashAlgorithm specifues signature algorithm for public keys. Supported values are + sha224, sha256, sha384 and sha512. Defaults to sha256. + type: string + kms: + description: |- + KMS contains the KMS url of the public key + Supported formats differ based on the KMS system used. + type: string + type: object + keyless: + description: Keyless sets the configuration to verify the + authority against a Fulcio instance. + properties: + identities: + description: Identities sets a list of identities. + items: + description: |- + Identity may contain the issuer and/or the subject found in the transparency + log. + Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp + apply a regexp for matching. + properties: + issuer: + description: Issuer defines the issuer for this + identity. + type: string + issuerRegExp: + description: IssuerRegExp specifies a regular + expression to match the issuer for this identity. + type: string + subject: + description: Subject defines the subject for this + identity. + type: string + subjectRegExp: + description: SubjectRegExp specifies a regular + expression to match the subject for this identity. + type: string + type: object + type: array + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + required: + - identities + type: object + source: + description: Sources sets the configuration to specify the + sources from where to consume the signature and attestations. + properties: + PullSecrets: + description: |- + SignaturePullSecrets is an optional list of references to secrets in the + same namespace as the deploying resource for pulling any of the signatures + used by this Source. + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + repository: + description: Repository defines the location from where + to pull the signature / attestations. + type: string + tagPrefix: + description: |- + TagPrefix is an optional prefix that signature and attestations have. + This is the 'tag based discovery' and in the future once references are + fully supported that should likely be the preferred way to handle these. + type: string + type: object + tuf: + description: TUF defines the configuration to fetch sigstore + root + properties: + mirror: + description: Mirror is the base URL of Sigstore TUF + repository + type: string + root: + description: Root defines the path or data of the trusted + root + properties: + data: + description: Data is the base64 encoded TUF root + type: string + path: + description: Path is the URL or File location of + the TUF root + type: string + type: object + type: object + type: object + name: + description: Name is the name for this attestor. It is used + to refer to the attestor in verification + type: string + notary: + description: Notary defines attestor configuration for Notary + based signatures + properties: + certs: + description: Certs define the cert chain for Notary signature + verification + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the a CEL expression + input. + type: string + value: + description: Value defines the raw string input. + type: string + type: object + tsaCerts: + description: TSACerts define the cert chain for verifying + timestamps of notary signature + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the a CEL expression + input. + type: string + value: + description: Value defines the raw string input. + type: string + type: object + type: object + required: + - name + type: object + type: array + auditAnnotations: + description: |- + auditAnnotations contains CEL expressions which are used to produce audit + annotations for the audit event of the API request. + validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is + required. + items: + description: AuditAnnotation describes how to produce an audit annotation + for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + x-kubernetes-list-type: atomic + autogen: + description: AutogenConfiguration defines the configuration for the + generation controller. + properties: + podControllers: + description: PodControllers specifies whether to generate a pod + controllers rules. + properties: + controllers: + items: + type: string + type: array + type: object + type: object + credentials: + description: Credentials provides credentials that will be used for + authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access to a + registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: CredentialsProvidersType provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + evaluation: + description: EvaluationConfiguration defines the configuration for + the policy evaluation. + properties: + admission: + description: Admission controls policy evaluation during admission. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + type: object + background: + description: Background controls policy evaluation during background + scan. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + type: object + mode: + description: |- + Mode is the mode of policy evaluation. + Allowed values are "Kubernetes" or "JSON". + Optional. Default value is "Kubernetes". + type: string + type: object + failurePolicy: + description: |- + FailurePolicy defines how to handle failures for the admission policy. Failures can + occur from CEL expression parse errors, type check errors, runtime errors and invalid + or mis-configured policy definitions or bindings. + enum: + - Ignore + - Fail + type: string + images: + description: ImageExtractors is a list of CEL expression to extract + images from the resource + items: + properties: + expression: + description: Expression defines CEL expression to extract images + from the resource. + type: string + name: + description: Name is the name for this imageList. It is used + to refer to the images in verification block as images. + type: string + required: + - expression + - name + type: object + type: array + matchConditions: + description: |- + MatchConditions is a list of conditions that must be met for a request to be validated. + Match conditions filter requests that have already been matched by the rules, + namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + There are a maximum of 64 match conditions allowed. + items: + description: MatchCondition represents a condition which must by + fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + matchConstraints: + description: MatchConstraints specifies what resources this policy + is designed to validate. + properties: + excludeResourceRules: + description: |- + ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. + The exclude rules take precedence over include rules (if a resource matches both, it is excluded) + items: + description: NamedRuleWithOperations is a tuple of Operations + and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for + a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional white list of + names that the rule applies to. An empty set means that + everything is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + matchPolicy: + description: |- + matchPolicy defines how the "MatchResources" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". + + - Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. + + - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. + + Defaults to "Equivalent" + type: string + namespaceSelector: + description: |- + NamespaceSelector decides whether to run the admission control policy on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the policy. + + For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "runlevel", + "operator": "NotIn", + "values": [ + "0", + "1" + ] + } + ] + } + + If instead you want to only run the policy on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "environment", + "operator": "In", + "values": [ + "prod", + "staging" + ] + } + ] + } + + See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + for more examples of label selectors. + + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + objectSelector: + description: |- + ObjectSelector decides whether to run the validation based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the cel validation, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resourceRules: + description: |- + ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. + The policy cares about an operation if it matches _any_ Rule. + items: + description: NamedRuleWithOperations is a tuple of Operations + and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for + a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional white list of + names that the rule applies to. An empty set means that + everything is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + matchImageReferences: + description: |- + MatchImageReferences is a list of Glob and CELExpressions to match images. + Any image that matches one of the rules is considered for validation + Any image that does not match a rule is skipped, even when they are passed as arguments to + image verification functions + items: + description: MatchImageReference defines a Glob or a CEL expression + for matching images + oneOf: + - required: + - glob + - required: + - expression + properties: + expression: + description: Expression defines CEL Expressions for matching + images + type: string + glob: + description: Glob defines a globbing pattern for matching images + type: string + type: object + type: array + validationActions: + description: |- + ValidationAction specifies the action to be taken when the matched resource violates the policy. + Required. + items: + description: ValidationAction specifies a policy enforcement action. + enum: + - Deny + - Audit + - Warn + type: string + type: array + x-kubernetes-list-type: set + validationConfigurations: + default: {} + description: ValidationConfigurations defines settings for mutating + and verifying image digests, and enforcing image verification through + signatures. + properties: + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + required: + default: true + description: Required validates that images are verified, i.e., + have passed a signature or attestation check. + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have a digest. + type: boolean + type: object + validations: + description: Validations contain CEL expressions which is used to + apply the image validation checks. + items: + description: Validation specifies the CEL expression which is used + to apply the validation. + properties: + expression: + description: "Expression represents the expression which will + be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, + organized into CEL variables as well as some other useful + variables:\n\n- 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE requests.\n- + 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by the policy binding + being evaluated. Only populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming + object belongs to. The value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, from its name to + its lazily evaluated value.\n For example, a variable named + 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization checks + for the principal (user or service account) of the request.\n + \ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the\n request resource.\n\nThe + `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. No other + metadata properties are accessible.\n\nOnly property names + of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible + property names are escaped according to the following rules + when accessed in the expression:\n- '__' escapes to '__underscores__'\n- + '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' + escapes to '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", + \"const\", \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", + \"return\".\nExamples:\n - Expression accessing a property + named \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression + accessing a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"}\n\nEquality on arrays + with list type of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type + use the semantics of the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements in `X` are + preserved and\n non-intersecting elements in `Y` are appended, + retaining their partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys in `X` are preserved + but the values\n are overwritten by values in `Y` when + the key sets of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining their partial + order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + items: + description: Variable is the definition of a variable that is used + for composition. A variable is defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + webhookConfiguration: + description: WebhookConfiguration defines the configuration for the + webhook. + properties: + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + required: + - attestors + - validations + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + properties: + configs: + additionalProperties: + properties: + spec: + description: ImageValidatingPolicySpec is the specification + of the desired behavior of the ImageValidatingPolicy. + properties: + attestations: + description: Attestations provides a list of image metadata + to verify + items: + description: Attestation defines the identification + details of the metadata that has to be verified + properties: + intoto: + description: InToto defines the details of attestation + attached using intoto format + properties: + type: + description: Type defines the type of attestation + contained within the statement. + type: string + required: + - type + type: object + name: + description: Name is the name for this attestation. + It is used to refer to the attestation in verification + type: string + referrer: + description: Referrer defines the details of attestation + attached using OCI 1.1 format + properties: + type: + description: Type defines the type of attestation + attached to the image. + type: string + required: + - type + type: object + required: + - name + type: object + type: array + attestors: + description: Attestors provides a list of trusted authorities. + items: + description: Attestor is an identity that confirms + or verifies the authenticity of an image or an attestation + properties: + cosign: + description: Cosign defines attestor configuration + for Cosign based signatures + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + certificate: + description: Certificate defines the configuration + for local signature verification + properties: + cert: + description: Certificate is the to the + public certificate for local signature + verification. + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the + a CEL expression input. + type: string + value: + description: Value defines the raw + string input. + type: string + type: object + certChain: + description: |- + CertificateChain is the list of CA certificates in PEM format which will be needed + when building the certificate chain for the signing certificate. Must start with the + parent intermediate CA certificate of the signing certificate and end with the root certificate + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the + a CEL expression input. + type: string + value: + description: Value defines the raw + string input. + type: string + type: object + type: object + ctlog: + description: CTLog sets the configuration + to verify the authority against a Rekor + instance. + properties: + ctLogPubKey: + description: CTLogPubKey, if set, is used + to validate SCTs against a custom source. + type: string + insecureIgnoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + insecureIgnoreTlog: + description: InsecureIgnoreTlog skips + transparency log verification. + type: boolean + rekorPubKey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + url: + description: URL sets the url to the rekor + instance (by default the public rekor.sigstore.dev) + type: string + type: object + key: + description: Key defines the type of key to + validate the image. + properties: + data: + description: Data contains the inline + public key + type: string + expression: + description: Expression is a Expression + expression that returns the public key. + type: string + hashAlgorithm: + description: |- + HashAlgorithm specifues signature algorithm for public keys. Supported values are + sha224, sha256, sha384 and sha512. Defaults to sha256. + type: string + kms: + description: |- + KMS contains the KMS url of the public key + Supported formats differ based on the KMS system used. + type: string + type: object + keyless: + description: Keyless sets the configuration + to verify the authority against a Fulcio + instance. + properties: + identities: + description: Identities sets a list of + identities. + items: + description: |- + Identity may contain the issuer and/or the subject found in the transparency + log. + Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp + apply a regexp for matching. + properties: + issuer: + description: Issuer defines the + issuer for this identity. + type: string + issuerRegExp: + description: IssuerRegExp specifies + a regular expression to match + the issuer for this identity. + type: string + subject: + description: Subject defines the + subject for this identity. + type: string + subjectRegExp: + description: SubjectRegExp specifies + a regular expression to match + the subject for this identity. + type: string + type: object + type: array + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + required: + - identities + type: object + source: + description: Sources sets the configuration + to specify the sources from where to consume + the signature and attestations. + properties: + PullSecrets: + description: |- + SignaturePullSecrets is an optional list of references to secrets in the + same namespace as the deploying resource for pulling any of the signatures + used by this Source. + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + repository: + description: Repository defines the location + from where to pull the signature / attestations. + type: string + tagPrefix: + description: |- + TagPrefix is an optional prefix that signature and attestations have. + This is the 'tag based discovery' and in the future once references are + fully supported that should likely be the preferred way to handle these. + type: string + type: object + tuf: + description: TUF defines the configuration + to fetch sigstore root + properties: + mirror: + description: Mirror is the base URL of + Sigstore TUF repository + type: string + root: + description: Root defines the path or + data of the trusted root + properties: + data: + description: Data is the base64 encoded + TUF root + type: string + path: + description: Path is the URL or File + location of the TUF root + type: string + type: object + type: object + type: object + name: + description: Name is the name for this attestor. + It is used to refer to the attestor in verification + type: string + notary: + description: Notary defines attestor configuration + for Notary based signatures + properties: + certs: + description: Certs define the cert chain for + Notary signature verification + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the a + CEL expression input. + type: string + value: + description: Value defines the raw string + input. + type: string + type: object + tsaCerts: + description: TSACerts define the cert chain + for verifying timestamps of notary signature + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the a + CEL expression input. + type: string + value: + description: Value defines the raw string + input. + type: string + type: object + type: object + required: + - name + type: object + type: array + auditAnnotations: + description: |- + auditAnnotations contains CEL expressions which are used to produce audit + annotations for the audit event of the API request. + validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is + required. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + x-kubernetes-list-type: atomic + autogen: + description: AutogenConfiguration defines the configuration + for the generation controller. + properties: + podControllers: + description: PodControllers specifies whether to + generate a pod controllers rules. + properties: + controllers: + items: + type: string + type: array + type: object + type: object + credentials: + description: Credentials provides credentials that will + be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: CredentialsProvidersType provides + the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + evaluation: + description: EvaluationConfiguration defines the configuration + for the policy evaluation. + properties: + admission: + description: Admission controls policy evaluation + during admission. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + type: object + background: + description: Background controls policy evaluation + during background scan. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + type: object + mode: + description: |- + Mode is the mode of policy evaluation. + Allowed values are "Kubernetes" or "JSON". + Optional. Default value is "Kubernetes". + type: string + type: object + failurePolicy: + description: |- + FailurePolicy defines how to handle failures for the admission policy. Failures can + occur from CEL expression parse errors, type check errors, runtime errors and invalid + or mis-configured policy definitions or bindings. + enum: + - Ignore + - Fail + type: string + images: + description: ImageExtractors is a list of CEL expression + to extract images from the resource + items: + properties: + expression: + description: Expression defines CEL expression + to extract images from the resource. + type: string + name: + description: Name is the name for this imageList. + It is used to refer to the images in verification + block as images. + type: string + required: + - expression + - name + type: object + type: array + matchConditions: + description: |- + MatchConditions is a list of conditions that must be met for a request to be validated. + Match conditions filter requests that have already been matched by the rules, + namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + There are a maximum of 64 match conditions allowed. + items: + description: MatchCondition represents a condition + which must by fulfilled for a request to be sent + to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + matchConstraints: + description: MatchConstraints specifies what resources + this policy is designed to validate. + properties: + excludeResourceRules: + description: |- + ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. + The exclude rules take precedence over include rules (if a resource matches both, it is excluded) + items: + description: NamedRuleWithOperations is a tuple + of Operations and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an + operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional + white list of names that the rule applies + to. An empty set means that everything + is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + matchPolicy: + description: |- + matchPolicy defines how the "MatchResources" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". + + - Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. + + - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. + + Defaults to "Equivalent" + type: string + namespaceSelector: + description: |- + NamespaceSelector decides whether to run the admission control policy on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the policy. + + For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "runlevel", + "operator": "NotIn", + "values": [ + "0", + "1" + ] + } + ] + } + + If instead you want to only run the policy on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "environment", + "operator": "In", + "values": [ + "prod", + "staging" + ] + } + ] + } + + See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + for more examples of label selectors. + + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + objectSelector: + description: |- + ObjectSelector decides whether to run the validation based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the cel validation, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resourceRules: + description: |- + ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. + The policy cares about an operation if it matches _any_ Rule. + items: + description: NamedRuleWithOperations is a tuple + of Operations and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an + operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional + white list of names that the rule applies + to. An empty set means that everything + is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + matchImageReferences: + description: |- + MatchImageReferences is a list of Glob and CELExpressions to match images. + Any image that matches one of the rules is considered for validation + Any image that does not match a rule is skipped, even when they are passed as arguments to + image verification functions + items: + description: MatchImageReference defines a Glob or + a CEL expression for matching images + oneOf: + - required: + - glob + - required: + - expression + properties: + expression: + description: Expression defines CEL Expressions + for matching images + type: string + glob: + description: Glob defines a globbing pattern for + matching images + type: string + type: object + type: array + validationActions: + description: |- + ValidationAction specifies the action to be taken when the matched resource violates the policy. + Required. + items: + description: ValidationAction specifies a policy enforcement + action. + enum: + - Deny + - Audit + - Warn + type: string + type: array + x-kubernetes-list-type: set + validationConfigurations: + default: {} + description: ValidationConfigurations defines settings + for mutating and verifying image digests, and enforcing + image verification through signatures. + properties: + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + required: + default: true + description: Required validates that images are + verified, i.e., have passed a signature or attestation + check. + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images + have a digest. + type: boolean + type: object + validations: + description: Validations contain CEL expressions which + is used to apply the image validation checks. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is defined + as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + webhookConfiguration: + description: WebhookConfiguration defines the configuration + for the webhook. + properties: + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + required: + - attestors + - validations + type: object + required: + - spec + type: object + type: object + type: object + conditionStatus: + description: ConditionStatus is the shared status across all policy + types + properties: + conditions: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: |- + Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy + It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. + type: string + ready: + description: |- + The ready of a policy is a high-level summary of where the policy is in its lifecycle. + The conditions array, the reason and message fields contain more detail about the policy's status. + type: boolean + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_policyexceptions.yaml b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_policyexceptions.yaml new file mode 100644 index 0000000000..436542b276 --- /dev/null +++ b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_policyexceptions.yaml @@ -0,0 +1,113 @@ +{{- if .Values.groups.policies.policyexceptions }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: policyexceptions.policies.kyverno.io +spec: + group: policies.kyverno.io + names: + kind: PolicyException + listKind: PolicyExceptionList + plural: policyexceptions + singular: policyexception + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: PolicyException declares resources to be excluded from specified + policies. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy exception behaviors. + properties: + matchConditions: + description: MatchConditions is a list of CEL expressions that must + be met for a resource to be excluded. + items: + description: MatchCondition represents a condition which must by + fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + policyRefs: + description: PolicyRefs identifies the policies to which the exception + is applied. + items: + properties: + kind: + description: Kind is the kind of the policy + type: string + name: + description: Name is the name of the policy + type: string + required: + - kind + - name + type: object + type: array + required: + - policyRefs + type: object + required: + - spec + type: object + served: true + storage: true +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml new file mode 100644 index 0000000000..6668d6ea65 --- /dev/null +++ b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml @@ -0,0 +1,1523 @@ +{{- if .Values.groups.policies.validatingpolicies }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: validatingpolicies.policies.kyverno.io +spec: + group: policies.kyverno.io + names: + categories: + - kyverno + kind: ValidatingPolicy + listKind: ValidatingPolicyList + plural: validatingpolicies + shortNames: + - vpol + singular: validatingpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .status.conditionStatus.ready + name: READY + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ValidatingPolicySpec is the specification of the desired + behavior of the ValidatingPolicy. + properties: + auditAnnotations: + description: |- + auditAnnotations contains CEL expressions which are used to produce audit + annotations for the audit event of the API request. + validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is + required. + items: + description: AuditAnnotation describes how to produce an audit annotation + for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + x-kubernetes-list-type: atomic + autogen: + description: AutogenConfiguration defines the configuration for the + generation controller. + properties: + podControllers: + description: PodControllers specifies whether to generate a pod + controllers rules. + properties: + controllers: + items: + type: string + type: array + type: object + validatingAdmissionPolicy: + description: ValidatingAdmissionPolicy specifies whether to generate + a Kubernetes ValidatingAdmissionPolicy. + properties: + enabled: + description: |- + Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. + Optional. Defaults to "false" if not specified. + type: boolean + type: object + type: object + evaluation: + description: EvaluationConfiguration defines the configuration for + the policy evaluation. + properties: + admission: + description: Admission controls policy evaluation during admission. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + type: object + background: + description: Background controls policy evaluation during background + scan. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + type: object + mode: + description: |- + Mode is the mode of policy evaluation. + Allowed values are "Kubernetes" or "JSON". + Optional. Default value is "Kubernetes". + type: string + type: object + failurePolicy: + description: |- + failurePolicy defines how to handle failures for the admission policy. Failures can + occur from CEL expression parse errors, type check errors, runtime errors and invalid + or mis-configured policy definitions or bindings. + + failurePolicy does not define how validations that evaluate to false are handled. + + When failurePolicy is set to Fail, the validationActions field define how failures are enforced. + + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + matchConditions: + description: |- + MatchConditions is a list of conditions that must be met for a request to be validated. + Match conditions filter requests that have already been matched by the rules, + namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + There are a maximum of 64 match conditions allowed. + + If a parameter object is provided, it can be accessed via the `params` handle in the same + manner as validation expressions. + + The exact matching logic is (in order): + 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. + 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. + 3. If any matchCondition evaluates to an error (but none are FALSE): + - If failurePolicy=Fail, reject the request + - If failurePolicy=Ignore, the policy is skipped + items: + description: MatchCondition represents a condition which must by + fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + matchConstraints: + description: |- + MatchConstraints specifies what resources this policy is designed to validate. + The AdmissionPolicy cares about a request if it matches _all_ Constraints. + Required. + properties: + excludeResourceRules: + description: |- + ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. + The exclude rules take precedence over include rules (if a resource matches both, it is excluded) + items: + description: NamedRuleWithOperations is a tuple of Operations + and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for + a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional white list of + names that the rule applies to. An empty set means that + everything is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + matchPolicy: + description: |- + matchPolicy defines how the "MatchResources" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". + + - Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. + + - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. + + Defaults to "Equivalent" + type: string + namespaceSelector: + description: |- + NamespaceSelector decides whether to run the admission control policy on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the policy. + + For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "runlevel", + "operator": "NotIn", + "values": [ + "0", + "1" + ] + } + ] + } + + If instead you want to only run the policy on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "environment", + "operator": "In", + "values": [ + "prod", + "staging" + ] + } + ] + } + + See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + for more examples of label selectors. + + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + objectSelector: + description: |- + ObjectSelector decides whether to run the validation based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the cel validation, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resourceRules: + description: |- + ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. + The policy cares about an operation if it matches _any_ Rule. + items: + description: NamedRuleWithOperations is a tuple of Operations + and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for + a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional white list of + names that the rule applies to. An empty set means that + everything is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + validationActions: + description: |- + ValidationAction specifies the action to be taken when the matched resource violates the policy. + Required. + items: + description: ValidationAction specifies a policy enforcement action. + enum: + - Deny + - Audit + - Warn + type: string + type: array + x-kubernetes-list-type: set + validations: + description: |- + Validations contain CEL expressions which is used to apply the validation. + Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is + required. + items: + description: Validation specifies the CEL expression which is used + to apply the validation. + properties: + expression: + description: "Expression represents the expression which will + be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, + organized into CEL variables as well as some other useful + variables:\n\n- 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE requests.\n- + 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by the policy binding + being evaluated. Only populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming + object belongs to. The value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, from its name to + its lazily evaluated value.\n For example, a variable named + 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization checks + for the principal (user or service account) of the request.\n + \ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the\n request resource.\n\nThe + `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. No other + metadata properties are accessible.\n\nOnly property names + of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible + property names are escaped according to the following rules + when accessed in the expression:\n- '__' escapes to '__underscores__'\n- + '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' + escapes to '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", + \"const\", \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", + \"return\".\nExamples:\n - Expression accessing a property + named \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression + accessing a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"}\n\nEquality on arrays + with list type of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type + use the semantics of the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements in `X` are + preserved and\n non-intersecting elements in `Y` are appended, + retaining their partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys in `X` are preserved + but the values\n are overwritten by values in `Y` when + the key sets of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining their partial + order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy + except MatchConditions because MatchConditions are evaluated before the rest of the policy. + + The expression of a variable can refer to other variables defined earlier in the list but not those after. + Thus, Variables must be sorted by the order of first appearance and acyclic. + items: + description: Variable is the definition of a variable that is used + for composition. A variable is defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + webhookConfiguration: + description: WebhookConfiguration defines the configuration for the + webhook. + properties: + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + properties: + configs: + additionalProperties: + properties: + spec: + description: ValidatingPolicySpec is the specification of + the desired behavior of the ValidatingPolicy. + properties: + auditAnnotations: + description: |- + auditAnnotations contains CEL expressions which are used to produce audit + annotations for the audit event of the API request. + validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is + required. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + x-kubernetes-list-type: atomic + autogen: + description: AutogenConfiguration defines the configuration + for the generation controller. + properties: + podControllers: + description: PodControllers specifies whether to + generate a pod controllers rules. + properties: + controllers: + items: + type: string + type: array + type: object + validatingAdmissionPolicy: + description: ValidatingAdmissionPolicy specifies + whether to generate a Kubernetes ValidatingAdmissionPolicy. + properties: + enabled: + description: |- + Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. + Optional. Defaults to "false" if not specified. + type: boolean + type: object + type: object + evaluation: + description: EvaluationConfiguration defines the configuration + for the policy evaluation. + properties: + admission: + description: Admission controls policy evaluation + during admission. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + type: object + background: + description: Background controls policy evaluation + during background scan. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + type: object + mode: + description: |- + Mode is the mode of policy evaluation. + Allowed values are "Kubernetes" or "JSON". + Optional. Default value is "Kubernetes". + type: string + type: object + failurePolicy: + description: |- + failurePolicy defines how to handle failures for the admission policy. Failures can + occur from CEL expression parse errors, type check errors, runtime errors and invalid + or mis-configured policy definitions or bindings. + + failurePolicy does not define how validations that evaluate to false are handled. + + When failurePolicy is set to Fail, the validationActions field define how failures are enforced. + + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + matchConditions: + description: |- + MatchConditions is a list of conditions that must be met for a request to be validated. + Match conditions filter requests that have already been matched by the rules, + namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + There are a maximum of 64 match conditions allowed. + + If a parameter object is provided, it can be accessed via the `params` handle in the same + manner as validation expressions. + + The exact matching logic is (in order): + 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. + 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. + 3. If any matchCondition evaluates to an error (but none are FALSE): + - If failurePolicy=Fail, reject the request + - If failurePolicy=Ignore, the policy is skipped + items: + description: MatchCondition represents a condition + which must by fulfilled for a request to be sent + to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + matchConstraints: + description: |- + MatchConstraints specifies what resources this policy is designed to validate. + The AdmissionPolicy cares about a request if it matches _all_ Constraints. + Required. + properties: + excludeResourceRules: + description: |- + ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. + The exclude rules take precedence over include rules (if a resource matches both, it is excluded) + items: + description: NamedRuleWithOperations is a tuple + of Operations and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an + operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional + white list of names that the rule applies + to. An empty set means that everything + is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + matchPolicy: + description: |- + matchPolicy defines how the "MatchResources" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". + + - Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. + + - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. + + Defaults to "Equivalent" + type: string + namespaceSelector: + description: |- + NamespaceSelector decides whether to run the admission control policy on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the policy. + + For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "runlevel", + "operator": "NotIn", + "values": [ + "0", + "1" + ] + } + ] + } + + If instead you want to only run the policy on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "environment", + "operator": "In", + "values": [ + "prod", + "staging" + ] + } + ] + } + + See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + for more examples of label selectors. + + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + objectSelector: + description: |- + ObjectSelector decides whether to run the validation based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the cel validation, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resourceRules: + description: |- + ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. + The policy cares about an operation if it matches _any_ Rule. + items: + description: NamedRuleWithOperations is a tuple + of Operations and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an + operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional + white list of names that the rule applies + to. An empty set means that everything + is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + validationActions: + description: |- + ValidationAction specifies the action to be taken when the matched resource violates the policy. + Required. + items: + description: ValidationAction specifies a policy enforcement + action. + enum: + - Deny + - Audit + - Warn + type: string + type: array + x-kubernetes-list-type: set + validations: + description: |- + Validations contain CEL expressions which is used to apply the validation. + Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is + required. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy + except MatchConditions because MatchConditions are evaluated before the rest of the policy. + + The expression of a variable can refer to other variables defined earlier in the list but not those after. + Thus, Variables must be sorted by the order of first appearance and acyclic. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is defined + as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + webhookConfiguration: + description: WebhookConfiguration defines the configuration + for the webhook. + properties: + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + type: object + required: + - spec + type: object + type: object + type: object + conditionStatus: + description: ConditionStatus is the shared status across all policy + types + properties: + conditions: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: |- + Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy + It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. + type: string + ready: + description: |- + The ready of a policy is a high-level summary of where the policy is in its lifecycle. + The conditions array, the reason and message fields contain more detail about the policy's status. + type: boolean + type: object + generated: + description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy + is generated from the policy or not + type: boolean + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml b/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml new file mode 100644 index 0000000000..de4c67fdda --- /dev/null +++ b/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml @@ -0,0 +1,342 @@ +{{- if .Values.groups.reports.clusterephemeralreports }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: clusterephemeralreports.reports.kyverno.io +spec: + group: reports.kyverno.io + names: + categories: + - kyverno + kind: ClusterEphemeralReport + listKind: ClusterEphemeralReportList + plural: clusterephemeralreports + shortNames: + - cephr + singular: clusterephemeralreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.labels['audit\.kyverno\.io/source'] + name: Source + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group'] + name: Group + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind'] + name: Kind + type: string + - jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name'] + name: Owner + type: string + - jsonPath: .spec.summary.pass + name: Pass + type: integer + - jsonPath: .spec.summary.fail + name: Fail + type: integer + - jsonPath: .spec.summary.warn + name: Warn + type: integer + - jsonPath: .spec.summary.error + name: Error + type: integer + - jsonPath: .spec.summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid'] + name: Uid + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] + name: Hash + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: ClusterEphemeralReport is the Schema for the ClusterEphemeralReports + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + owner: + description: Owner is a reference to the report owner (e.g. a Deployment, + Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. + type: boolean + controller: + description: If true, this reference points to the managing controller. + type: boolean + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + x-kubernetes-map-type: atomic + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for + the policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for + the policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked + Kubernetes resources + items: + description: ObjectReference contains enough information to + let you inspect or modify the referred object. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule + execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within + the policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not + be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not + selected for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + required: + - owner + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml b/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml new file mode 100644 index 0000000000..8a994e1360 --- /dev/null +++ b/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml @@ -0,0 +1,342 @@ +{{- if .Values.groups.reports.ephemeralreports }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: ephemeralreports.reports.kyverno.io +spec: + group: reports.kyverno.io + names: + categories: + - kyverno + kind: EphemeralReport + listKind: EphemeralReportList + plural: ephemeralreports + shortNames: + - ephr + singular: ephemeralreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.labels['audit\.kyverno\.io/source'] + name: Source + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group'] + name: Group + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind'] + name: Kind + type: string + - jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name'] + name: Owner + type: string + - jsonPath: .spec.summary.pass + name: Pass + type: integer + - jsonPath: .spec.summary.fail + name: Fail + type: integer + - jsonPath: .spec.summary.warn + name: Warn + type: integer + - jsonPath: .spec.summary.error + name: Error + type: integer + - jsonPath: .spec.summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid'] + name: Uid + priority: 1 + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] + name: Hash + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: EphemeralReport is the Schema for the EphemeralReports API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + owner: + description: Owner is a reference to the report owner (e.g. a Deployment, + Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. + type: boolean + controller: + description: If true, this reference points to the managing controller. + type: boolean + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + x-kubernetes-map-type: atomic + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for + the policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for + the policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked + Kubernetes resources + items: + description: ObjectReference contains enough information to + let you inspect or modify the referred object. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule + execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within + the policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not + be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not + selected for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + required: + - owner + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml b/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml new file mode 100644 index 0000000000..a6566775e8 --- /dev/null +++ b/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml @@ -0,0 +1,368 @@ +{{- if .Values.groups.wgpolicyk8s.clusterpolicyreports }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: clusterpolicyreports.wgpolicyk8s.io +spec: + group: wgpolicyk8s.io + names: + kind: ClusterPolicyReport + listKind: ClusterPolicyReportList + plural: clusterpolicyreports + shortNames: + - cpolr + singular: clusterpolicyreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + type: string + - jsonPath: .scope.name + name: Name + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the + policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked Kubernetes + resources + items: + description: ObjectReference contains enough information to let + you inspect or modify the referred object. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the + policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + scopeSelector: + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + type: object + served: true + storage: true + subresources: {} +{{- end }} diff --git a/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml b/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml new file mode 100644 index 0000000000..b5bd0c4505 --- /dev/null +++ b/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml @@ -0,0 +1,367 @@ +{{- if .Values.groups.wgpolicyk8s.policyreports }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: policyreports.wgpolicyk8s.io +spec: + group: wgpolicyk8s.io + names: + kind: PolicyReport + listKind: PolicyReportList + plural: policyreports + shortNames: + - polr + singular: policyreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + type: string + - jsonPath: .scope.name + name: Name + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the + policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked Kubernetes + resources + items: + description: ObjectReference contains enough information to let + you inspect or modify the referred object. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the + policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + scopeSelector: + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + type: object + served: true + storage: true + subresources: {} +{{- end }} diff --git a/charts/kyverno/charts/crds/values.yaml b/charts/kyverno/charts/crds/values.yaml index ef555b148c..b4a213ed25 100644 --- a/charts/kyverno/charts/crds/values.yaml +++ b/charts/kyverno/charts/crds/values.yaml @@ -4,7 +4,36 @@ templating: enabled: false debug: false version: ~ - + +groups: + # -- Install CRDs in group `kyverno.io` + # -- This field can be overwritten by setting crds.labels in the parent chart + kyverno: + cleanuppolicies: true + clustercleanuppolicies: true + clusterpolicies: true + globalcontextentries: true + policies: true + policyexceptions: true + updaterequests: true + + # -- Install CRDs in group `reports.kyverno.io` + policies: + validatingpolicies: true + imagevalidatingpolicies: true + policyexceptions: true + + # -- This field can be overwritten by setting crds.labels in the parent chart + reports: + clusterephemeralreports: true + ephemeralreports: true + + # -- Install CRDs in group `wgpolicyk8s.io` + # -- This field can be overwritten by setting crds.labels in the parent chart + wgpolicyk8s: + clusterpolicyreports: true + policyreports: true + # -- Additional CRDs annotations # -- This field can be overwritten by setting crds.annotations in the parent chart annotations: {} diff --git a/charts/kyverno/charts/grafana/Chart.yaml b/charts/kyverno/charts/grafana/Chart.yaml index 07f506f2ba..445be12197 100644 --- a/charts/kyverno/charts/grafana/Chart.yaml +++ b/charts/kyverno/charts/grafana/Chart.yaml @@ -1,3 +1,3 @@ apiVersion: v2 name: grafana -version: 0.0.0 +version: 3.4.1 diff --git a/charts/kyverno/charts/grafana/README.md b/charts/kyverno/charts/grafana/README.md index 514767200a..16167329d4 100644 --- a/charts/kyverno/charts/grafana/README.md +++ b/charts/kyverno/charts/grafana/README.md @@ -1,6 +1,6 @@ # grafana -![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) +![Version: 3.4.1](https://img.shields.io/badge/Version-3.4.1-informational?style=flat-square) ## Values diff --git a/charts/kyverno/charts/grafana/dashboard/dashboard.json b/charts/kyverno/charts/grafana/dashboard/dashboard.json deleted file mode 100644 index 9458bef7b5..0000000000 --- a/charts/kyverno/charts/grafana/dashboard/dashboard.json +++ /dev/null @@ -1,2876 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS_KYVERNO", - "label": "Prometheus Data Source exposing Kyverno's metrics", - "description": "Prometheus Data Source exposing Kyverno's metrics", - "type": "datasource" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "target": { - "limit": 100, - "matchAny": false, - "tags": [], - "type": "dashboard" - }, - "type": "dashboard" - } - ] - }, - "description": "", - "editable": true, - "gnetId": null, - "graphTooltip": 0, - "id": 2, - "iteration": 1628375170149, - "links": [], - "panels": [ - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "gridPos": { - "h": 6, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 42, - "options": { - "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)", - "mode": "markdown" - }, - "pluginVersion": "8.1.0", - "timeFrom": null, - "timeShift": null, - "transparent": true, - "type": "text" - }, - { - "collapsed": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 6 - }, - "id": 12, - "panels": [], - "title": "Latest Status", - "type": "row" - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "max": 100, - "min": 0, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "text", - "value": null - }, - { - "value": 0, - "color": "green" - }, - { - "color": "#eab839", - "value": 25 - }, - { - "color": "red", - "value": 50 - }, - { - "color": "red", - "value": 100 - } - ] - }, - "unit": "percent" - }, - "overrides": [] - }, - "gridPos": { - "h": 6, - "w": 6, - "x": 0, - "y": 7 - }, - "id": 29, - "options": { - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", cluster=~\"$cluster\"}[24h]) or vector(0))*100/sum(increase(kyverno_policy_results_total{cluster=~\"$cluster\"}[24h]))", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "title": "Rule Execution Failure Rate (Last 24 Hours)", - "transparent": true, - "type": "gauge" - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "noValue": "0", - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 5, - "w": 4, - "x": 8, - "y": 7 - }, - "id": 2, - "options": { - "colorMode": "background", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "text": {}, - "textMode": "auto" - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"cluster\",cluster=~\"$cluster\"}==1) by (policy_name))", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "timeFrom": null, - "timeShift": null, - "title": "Cluster Policies", - "type": "stat" - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "noValue": "0", - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 5, - "w": 4, - "x": 12, - "y": 7 - }, - "id": 3, - "options": { - "colorMode": "background", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "text": {}, - "textMode": "auto" - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"namespaced\", cluster=~\"$cluster\"}==1) by (policy_name))", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "timeFrom": null, - "timeShift": null, - "title": "Policies", - "type": "stat" - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "max": 100, - "min": 0, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "text", - "value": null - }, - { - "value": 0, - "color": "green" - }, - { - "color": "#eab839", - "value": 25 - }, - { - "color": "red", - "value": 50 - }, - { - "color": "red", - "value": 100 - } - ] - }, - "unit": "percent" - }, - "overrides": [] - }, - "gridPos": { - "h": 6, - "w": 6, - "x": 18, - "y": 7 - }, - "id": 28, - "options": { - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", policy_background_mode=\"true\", cluster=~\"$cluster\"}[24h]) or vector(0))*100/sum(increase(kyverno_policy_results_total{policy_background_mode=\"true\", cluster=~\"$cluster\"}[24h]))", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "title": "Background Scans Failure Rate (Last 24 Hours)", - "transparent": true, - "type": "gauge" - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "noValue": "0", - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 6, - "y": 12 - }, - "id": 4, - "options": { - "colorMode": "background", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "text": {}, - "textMode": "auto" - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "count(count(kyverno_policy_rule_info_total{rule_type=\"validate\", cluster=~\"$cluster\"}==1) by (rule_name))", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "timeFrom": null, - "timeShift": null, - "title": "Validate Rules", - "type": "stat" - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "noValue": "0", - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 10, - "y": 12 - }, - "id": 23, - "options": { - "colorMode": "background", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "text": {}, - "textMode": "auto" - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "count(count(kyverno_policy_rule_info_total{rule_type=\"mutate\", cluster=~\"$cluster\"}==1) by (rule_name))", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "timeFrom": null, - "timeShift": null, - "title": "Mutate Rules", - "type": "stat" - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "noValue": "0", - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 14, - "y": 12 - }, - "id": 6, - "options": { - "colorMode": "background", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "text": {}, - "textMode": "auto" - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "count(count(kyverno_policy_rule_info_total{rule_type=\"generate\", cluster=~\"$cluster\"}==1) by (rule_name))", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "timeFrom": null, - "timeShift": null, - "title": "Generate Rules", - "type": "stat" - }, - { - "collapsed": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 16 - }, - "id": 26, - "panels": [], - "title": "Policy-Rule Results", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 8, - "x": 0, - "y": 17 - }, - "hiddenSeries": false, - "id": 15, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:2021", - "alias": "pass", - "color": "rgb(43, 219, 23)", - "dashes": true - }, - { - "$$hashKey": "object:2029", - "alias": "fail", - "color": "#F2495C" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(increase(kyverno_policy_results_total{rule_execution_cause=\"admission_request\", cluster=~\"$cluster\"}[5m])) by (rule_result)", - "interval": "", - "legendFormat": "Admission Review Result: {{rule_result}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Admission Review Results (per-rule)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 8, - "x": 8, - "y": 17 - }, - "hiddenSeries": false, - "id": 17, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:2021", - "alias": "pass", - "color": "rgb(43, 219, 23)", - "dashes": true - }, - { - "$$hashKey": "object:2029", - "alias": "fail", - "color": "#F2495C" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(increase(kyverno_policy_results_total{rule_execution_cause=\"background_scan\", cluster=~\"$cluster\"}[5m])) by (rule_result)", - "interval": "", - "legendFormat": "Background Scan Result: {{rule_result}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Background Scan Results (per-rule)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 16, - "w": 8, - "x": 16, - "y": 17 - }, - "hiddenSeries": false, - "id": 30, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:2021", - "alias": "cluster", - "color": "#5794F2", - "dashes": true - }, - { - "$$hashKey": "object:2029", - "alias": "namespaced", - "color": "#F2495C", - "dashes": true - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(sum(increase(kyverno_policy_results_total{rule_result=\"fail\", cluster=~\"$cluster\"}[5m])) by (policy_name, policy_type)) by (policy_type)", - "interval": "", - "legendFormat": "Policy Type: {{policy_type}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Policy Failures", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 8, - "x": 0, - "y": 25 - }, - "hiddenSeries": false, - "id": 31, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:2021", - "alias": "pass", - "color": "rgb(43, 219, 23)", - "dashes": true - }, - { - "$$hashKey": "object:2029", - "alias": "fail", - "color": "#F2495C" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(sum(increase(kyverno_policy_results_total{rule_execution_cause=\"admission_request\", cluster=~\"$cluster\"}[5m])) by (policy_name, rule_result)) by (rule_result)", - "interval": "", - "legendFormat": "Admission Review Result: {{rule_result}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Admission Review Results (per-policy)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 8, - "x": 8, - "y": 25 - }, - "hiddenSeries": false, - "id": 32, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:2021", - "alias": "pass", - "color": "rgb(43, 219, 23)", - "dashes": true - }, - { - "$$hashKey": "object:2029", - "alias": "fail", - "color": "#F2495C" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(sum(increase(kyverno_policy_results_total{rule_execution_cause=\"background_scan\", cluster=~\"$cluster\"}[5m])) by (policy_name, rule_result)) by (rule_result)", - "interval": "", - "legendFormat": "Background Scan Result: {{rule_result}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Background Scan Results (per-policy)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 33 - }, - "id": 19, - "panels": [], - "title": "Policy-Rule Info", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 8, - "x": 0, - "y": 34 - }, - "hiddenSeries": false, - "id": 16, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:3795", - "alias": "cluster", - "color": "#5794F2" - }, - { - "$$hashKey": "object:3800", - "alias": "namespaced", - "color": "#FF7383" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "count(count(kyverno_policy_rule_info_total{cluster=~\"$cluster\"}==1) by (policy_name, policy_type)) by (policy_type)", - "interval": "", - "legendFormat": "Policy Type: {{policy_type}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Active Policies (by policy type)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 8, - "x": 8, - "y": 34 - }, - "hiddenSeries": false, - "id": 20, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:3319", - "alias": "audit", - "color": "#37872D" - }, - { - "$$hashKey": "object:3335", - "alias": "enforce", - "color": "#FF9830" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "count(count(kyverno_policy_rule_info_total{cluster=~\"$cluster\"}==1) by (policy_name, policy_validation_mode)) by (policy_validation_mode)", - "interval": "", - "legendFormat": "Policy Validation Mode: {{policy_validation_mode}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Active Policies (by policy validation action)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 8, - "x": 16, - "y": 34 - }, - "hiddenSeries": false, - "id": 24, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:3934", - "alias": "cluster", - "color": "#B877D9" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "count(count(kyverno_policy_rule_info_total{policy_background_mode=\"true\", cluster=~\"$cluster\"}==1) by (policy_name, policy_type)) by (policy_type)", - "interval": "", - "legendFormat": "Policy Type: {{policy_type}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Active Policies running in background mode", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 8, - "x": 0, - "y": 42 - }, - "hiddenSeries": false, - "id": 21, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "count(count(kyverno_policy_rule_info_total{policy_namespace!=\"-\", cluster=~\"$cluster\"}==1) by (policy_name, policy_namespace)) by (policy_namespace)", - "interval": "", - "legendFormat": "Namespace: {{policy_namespace}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Active Namespaced Policies (by namespaces)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 10, - "x": 8, - "y": 42 - }, - "hiddenSeries": false, - "id": 14, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:3021", - "alias": "mutate", - "color": "rgb(169, 58, 227)" - }, - { - "$$hashKey": "object:3029", - "alias": "validate", - "color": "rgb(255, 232, 0)" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "count(count(kyverno_policy_rule_info_total{cluster=~\"$cluster\"}==1) by (rule_type, rule_name)) by (rule_type)", - "interval": "", - "legendFormat": "Rule Type: {{rule_type}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Active Rules (by rule type)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 50 - }, - "id": 34, - "panels": [], - "title": "Policy-Rule Execution Latency", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 9, - "x": 0, - "y": 51 - }, - "hiddenSeries": false, - "id": 36, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(rate(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (rule_type) / sum(rate(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (rule_type)", - "interval": "", - "legendFormat": "Rule Type: {{rule_type}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Average Rule Execution Latency Over Time", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:5548", - "format": "s", - "label": "", - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:5549", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 9, - "x": 9, - "y": 51 - }, - "hiddenSeries": false, - "id": 37, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:5526", - "alias": "cluster", - "color": "#5794F2" - }, - { - "$$hashKey": "object:5534", - "alias": "namespaced", - "color": "#F2495C" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(rate(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (policy_type) / sum(rate(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (policy_type)", - "interval": "", - "legendFormat": "Policy Type: {{policy_type}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Average Policy Execution Latency Over Time", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:5548", - "format": "clocks", - "label": "", - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:5549", - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "purple", - "value": null - } - ] - }, - "unit": "s" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 18, - "y": 51 - }, - "id": 39, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "text": {}, - "textMode": "auto" - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "sum(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}) / sum(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"})", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "title": "Overall Average Rule Execution Latency", - "type": "stat" - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "blue", - "value": null - } - ] - }, - "unit": "s" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 18, - "y": 55 - }, - "id": 40, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "text": {}, - "textMode": "auto" - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "avg(sum(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}) by (policy_name, policy_type) / sum(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"}) by (policy_name, policy_type))", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "title": "Overall Average Policy Execution Latency", - "type": "stat" - }, - { - "collapsed": false, - "datasource": null, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 59 - }, - "id": 52, - "panels": [], - "title": "Admission Review Latency", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 9, - "x": 0, - "y": 60 - }, - "hiddenSeries": false, - "id": 53, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(rate(kyverno_admission_review_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (resource_request_operation) / sum(rate(kyverno_admission_review_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (resource_request_operation)", - "interval": "", - "legendFormat": "Resource Operation: {{resource_request_operation}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Avg - Admission Review Duration Over Time (by operation)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "transparent": true, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 9, - "x": 9, - "y": 60 - }, - "hiddenSeries": false, - "id": 54, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(rate(kyverno_admission_review_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (resource_kind) / sum(rate(kyverno_admission_review_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (resource_kind)", - "interval": "", - "legendFormat": "Resource Kind: {{resource_kind}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Avg - Admission Review Duration Over Time (by resource kind)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "transparent": true, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "blue", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 18, - "y": 60 - }, - "id": 50, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "text": {}, - "textMode": "auto" - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[5m]))", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "title": "Rate - Incoming Admission Requests (per 5m)", - "type": "stat" - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "purple", - "value": null - } - ] - }, - "unit": "s" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 18, - "y": 64 - }, - "id": 55, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "text": {}, - "textMode": "auto" - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "sum(kyverno_admission_review_duration_seconds_sum{cluster=~\"$cluster\"})/sum(kyverno_admission_review_duration_seconds_count{cluster=~\"$cluster\"})", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "title": "Avg - Overall Admission Review Duration", - "type": "stat" - }, - { - "collapsed": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 68 - }, - "id": 8, - "panels": [], - "title": "Policy Changes", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 9, - "x": 0, - "y": 69 - }, - "hiddenSeries": false, - "id": 10, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:1487", - "alias": "Change type: created", - "color": "#5794F2" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(increase(kyverno_policy_changes_total{cluster=~\"$cluster\"}[5m])) by (policy_change_type)", - "interval": "", - "legendFormat": "Change type: {{policy_change_type}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Policy Changes Over Time (by change type)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "transparent": true, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 9, - "x": 9, - "y": 69 - }, - "hiddenSeries": false, - "id": 13, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:1679", - "alias": "cluster", - "color": "#F2495C" - }, - { - "$$hashKey": "object:1769" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(increase(kyverno_policy_changes_total{cluster=~\"$cluster\"}[5m])) by (policy_type)", - "interval": "", - "legendFormat": "Policy Type: {{policy_type}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Policy Changes Over Time (by policy type)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "orange", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 18, - "y": 69 - }, - "id": 49, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "text": {}, - "textMode": "auto" - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "sum(increase(kyverno_policy_changes_total{cluster=~\"$cluster\"}[24h]))", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "title": "Total Policy Changes (Last 24 Hours)", - "type": "stat" - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "red", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 18, - "y": 73 - }, - "id": 48, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "text": {}, - "textMode": "auto" - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "sum(rate(kyverno_policy_changes_total{cluster=~\"$cluster\"}[5m]))", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "title": "Rate - Policy Changes Happening (last 5m)", - "type": "stat" - }, - { - "collapsed": false, - "datasource": null, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 77 - }, - "id": 44, - "panels": [], - "title": "Admission Requests", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 9, - "x": 0, - "y": 78 - }, - "hiddenSeries": false, - "id": 45, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:1487", - "alias": "Change type: created", - "color": "#5794F2" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[5m])) by (resource_request_operation)", - "interval": "", - "legendFormat": "Resource Operation: {{resource_request_operation}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Admission Requests (by operation)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "transparent": true, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 9, - "x": 9, - "y": 78 - }, - "hiddenSeries": false, - "id": 46, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": true, - "rightSide": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.0", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "$$hashKey": "object:1487", - "alias": "Change type: created", - "color": "#5794F2" - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "exemplar": true, - "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[5m])) by (resource_kind)", - "interval": "", - "legendFormat": "Resource Kind: {{resource_kind}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Admission Requests (by resource kind)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "transparent": true, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:218", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "$$hashKey": "object:219", - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "semi-dark-green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 6, - "x": 18, - "y": 78 - }, - "id": 47, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "text": {}, - "textMode": "auto" - }, - "pluginVersion": "8.1.0", - "targets": [ - { - "exemplar": true, - "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[24h]))", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "title": "Total Admission Requests (Last 24 Hours)", - "type": "stat" - } - ], - "refresh": false, - "schemaVersion": 30, - "style": "dark", - "tags": [], - "templating": { - "list": [ - { - "hide": 0, - "label": "datasource", - "name": "DS_PROMETHEUS_KYVERNO", - "options": [], - "query": "prometheus", - "refresh": 1, - "regex": "", - "type": "datasource" - } - ,{ - "allValue": ".*", - "datasource": "${DS_PROMETHEUS_KYVERNO}", - "definition": "label_values(kyverno_policy_results_total, cluster)", - "hide": 0, - "includeAll": true, - "label": "Cluster", - "multi": true, - "name": "cluster", - "options": [], - "query": "label_values(kyverno_policy_results_total, cluster)", - "refresh": 2, - "type": "query" - } - ] - }, - "time": { - "from": "now-1h", - "to": "now" - }, - "timepicker": {}, - "timezone": "", - "title": "Kyverno Metrics", - "folder": "Kyverno", - "uid": "Rg8lWBG7k", - "version": "1.4.3" -} diff --git a/charts/kyverno/charts/grafana/dashboard/kyverno-dashboard.json b/charts/kyverno/charts/grafana/dashboard/kyverno-dashboard.json new file mode 100644 index 0000000000..660a5352c0 --- /dev/null +++ b/charts/kyverno/charts/grafana/dashboard/kyverno-dashboard.json @@ -0,0 +1,3439 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 472, + "links": [], + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "gridPos": { + "h": 6, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 42, + "options": { + "code": { + "language": "plaintext", + "showLineNumbers": false, + "showMiniMap": false + }, + "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)", + "mode": "markdown" + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 6 + }, + "id": 12, + "panels": [], + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "title": "Latest Status", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 0 + }, + { + "color": "#eab839", + "value": 25 + }, + { + "color": "red", + "value": 50 + }, + { + "color": "red", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 29, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "sizing": "auto", + "text": {} + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", cluster=~\"$cluster\"}[24h]) or vector(0))*100/sum(increase(kyverno_policy_results_total{cluster=~\"$cluster\"}[24h]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Rule Execution Failure Rate (Last 24 Hours)", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 4, + "x": 8, + "y": 7 + }, + "id": 2, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"cluster\",cluster=~\"$cluster\"}==1) by (policy_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Cluster Policies", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 4, + "x": 12, + "y": 7 + }, + "id": 3, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"namespaced\", cluster=~\"$cluster\"}==1) by (policy_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Policies", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 0 + }, + { + "color": "#eab839", + "value": 25 + }, + { + "color": "red", + "value": 50 + }, + { + "color": "red", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 28, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "sizing": "auto", + "text": {} + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", policy_background_mode=\"true\", cluster=~\"$cluster\"}[24h]) or vector(0))*100/sum(increase(kyverno_policy_results_total{policy_background_mode=\"true\", cluster=~\"$cluster\"}[24h]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Background Scans Failure Rate (Last 24 Hours)", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 6, + "y": 12 + }, + "id": 4, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{rule_type=\"validate\", cluster=~\"$cluster\"}==1) by (rule_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Validate Rules", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 10, + "y": 12 + }, + "id": 23, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{rule_type=\"mutate\", cluster=~\"$cluster\"}==1) by (rule_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Mutate Rules", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 14, + "y": 12 + }, + "id": 6, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{rule_type=\"generate\", cluster=~\"$cluster\"}==1) by (rule_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Generate Rules", + "type": "stat" + }, + { + "collapsed": false, + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 16 + }, + "id": 26, + "panels": [], + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "title": "Policy-Rule Results", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "pass" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 219, 23)", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fail" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 17 + }, + "id": 15, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_results_total{rule_execution_cause=\"admission_request\", cluster=~\"$cluster\"}[5m])) by (rule_result)", + "interval": "", + "legendFormat": "Admission Review Result: {{rule_result}}", + "refId": "A" + } + ], + "title": "Admission Review Results (per-rule)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "pass" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 219, 23)", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fail" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 17 + }, + "id": 17, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_results_total{rule_execution_cause=\"background_scan\", cluster=~\"$cluster\"}[5m])) by (rule_result)", + "interval": "", + "legendFormat": "Background Scan Result: {{rule_result}}", + "refId": "A" + } + ], + "title": "Background Scan Results (per-rule)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "namespaced" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + } + ] + }, + "gridPos": { + "h": 16, + "w": 8, + "x": 16, + "y": 17 + }, + "id": 30, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(sum(increase(kyverno_policy_results_total{rule_result=\"fail\", cluster=~\"$cluster\"}[5m])) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "Policy Type: {{policy_type}}", + "refId": "A" + } + ], + "title": "Policy Failures", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "pass" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 219, 23)", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fail" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 25 + }, + "id": 31, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(sum(increase(kyverno_policy_results_total{rule_execution_cause=\"admission_request\", cluster=~\"$cluster\"}[5m])) by (policy_name, rule_result)) by (rule_result)", + "interval": "", + "legendFormat": "Admission Review Result: {{rule_result}}", + "refId": "A" + } + ], + "title": "Admission Review Results (per-policy)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "pass" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 219, 23)", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fail" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 25 + }, + "id": 32, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(sum(increase(kyverno_policy_results_total{rule_execution_cause=\"background_scan\", cluster=~\"$cluster\"}[5m])) by (policy_name, rule_result)) by (rule_result)", + "interval": "", + "legendFormat": "Background Scan Result: {{rule_result}}", + "refId": "A" + } + ], + "title": "Background Scan Results (per-policy)", + "type": "timeseries" + }, + { + "collapsed": false, + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 33 + }, + "id": 19, + "panels": [], + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "title": "Policy-Rule Info", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "namespaced" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#FF7383", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 34 + }, + "id": 16, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{cluster=~\"$cluster\"}==1) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "Policy Type: {{policy_type}}", + "refId": "A" + } + ], + "title": "Active Policies (by policy type)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "audit" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#37872D", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "enforce" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#FF9830", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 34 + }, + "id": 20, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{cluster=~\"$cluster\"}==1) by (policy_name, policy_validation_mode)) by (policy_validation_mode)", + "interval": "", + "legendFormat": "Policy Validation Mode: {{policy_validation_mode}}", + "refId": "A" + } + ], + "title": "Active Policies (by policy validation action)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#B877D9", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 34 + }, + "id": 24, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_background_mode=\"true\", cluster=~\"$cluster\"}==1) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "Policy Type: {{policy_type}}", + "refId": "A" + } + ], + "title": "Active Policies running in background mode", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 21, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_namespace!=\"-\", cluster=~\"$cluster\"}==1) by (policy_name, policy_namespace)) by (policy_namespace)", + "interval": "", + "legendFormat": "Namespace: {{policy_namespace}}", + "refId": "A" + } + ], + "title": "Active Namespaced Policies (by namespaces)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "mutate" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(169, 58, 227)", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "validate" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(255, 232, 0)", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 42 + }, + "id": 14, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{cluster=~\"$cluster\"}==1) by (rule_type, rule_name)) by (rule_type)", + "interval": "", + "legendFormat": "Rule Type: {{rule_type}}", + "refId": "A" + } + ], + "title": "Active Rules (by rule type)", + "type": "timeseries" + }, + { + "collapsed": false, + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 50 + }, + "id": 34, + "panels": [], + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "title": "Policy-Rule Execution Latency", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 51 + }, + "id": 36, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(rate(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (rule_type) / sum(rate(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (rule_type)", + "interval": "", + "legendFormat": "Rule Type: {{rule_type}}", + "refId": "A" + } + ], + "title": "Average Rule Execution Latency Over Time", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "clocks" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "namespaced" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 51 + }, + "id": 37, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(rate(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (policy_type) / sum(rate(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (policy_type)", + "interval": "", + "legendFormat": "Policy Type: {{policy_type}}", + "refId": "A" + } + ], + "title": "Average Policy Execution Latency Over Time", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "purple", + "value": null + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 51 + }, + "id": 39, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}) / sum(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"})", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Overall Average Rule Execution Latency", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 55 + }, + "id": 40, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "avg(sum(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}) by (policy_name, policy_type) / sum(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"}) by (policy_name, policy_type))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Overall Average Policy Execution Latency", + "type": "stat" + }, + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 59 + }, + "id": 52, + "panels": [], + "targets": [ + { + "datasource": null, + "refId": "A" + } + ], + "title": "Admission Review Latency", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 60 + }, + "id": 53, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(rate(kyverno_admission_review_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (resource_request_operation) / sum(rate(kyverno_admission_review_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (resource_request_operation)", + "interval": "", + "legendFormat": "Resource Operation: {{resource_request_operation}}", + "refId": "A" + } + ], + "title": "Avg - Admission Review Duration Over Time (by operation)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 60 + }, + "id": 54, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(rate(kyverno_admission_review_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (resource_kind) / sum(rate(kyverno_admission_review_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (resource_kind)", + "interval": "", + "legendFormat": "Resource Kind: {{resource_kind}}", + "refId": "A" + } + ], + "title": "Avg - Admission Review Duration Over Time (by resource kind)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 60 + }, + "id": 50, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[5m]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Rate - Incoming Admission Requests (per 5m)", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "purple", + "value": null + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 64 + }, + "id": 55, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(kyverno_admission_review_duration_seconds_sum{cluster=~\"$cluster\"})/sum(kyverno_admission_review_duration_seconds_count{cluster=~\"$cluster\"})", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Avg - Overall Admission Review Duration", + "type": "stat" + }, + { + "collapsed": false, + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 68 + }, + "id": 8, + "panels": [], + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "title": "Policy Changes", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Change type: created" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 69 + }, + "id": 10, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_changes_total{cluster=~\"$cluster\"}[5m])) by (policy_change_type)", + "interval": "", + "legendFormat": "Change type: {{policy_change_type}}", + "refId": "A" + } + ], + "title": "Policy Changes Over Time (by change type)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 69 + }, + "id": 13, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_changes_total{cluster=~\"$cluster\"}[5m])) by (policy_type)", + "interval": "", + "legendFormat": "Policy Type: {{policy_type}}", + "refId": "A" + } + ], + "title": "Policy Changes Over Time (by policy type)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "orange", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 69 + }, + "id": 49, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_changes_total{cluster=~\"$cluster\"}[24h]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Total Policy Changes (Last 24 Hours)", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 73 + }, + "id": 48, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(rate(kyverno_policy_changes_total{cluster=~\"$cluster\"}[5m]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Rate - Policy Changes Happening (last 5m)", + "type": "stat" + }, + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 77 + }, + "id": 44, + "panels": [], + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "title": "Admission Requests", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Change type: created" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 78 + }, + "id": 45, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[5m])) by (resource_request_operation)", + "interval": "", + "legendFormat": "Resource Operation: {{resource_request_operation}}", + "refId": "A" + } + ], + "title": "Admission Requests (by operation)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Change type: created" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 78 + }, + "id": 46, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[5m])) by (resource_kind)", + "interval": "", + "legendFormat": "Resource Kind: {{resource_kind}}", + "refId": "A" + } + ], + "title": "Admission Requests (by resource kind)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "semi-dark-green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 6, + "x": 18, + "y": 78 + }, + "id": 47, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[24h]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Total Admission Requests (Last 24 Hours)", + "type": "stat" + } + ], + "refresh": false, + "schemaVersion": 39, + "tags": [], + "templating": { + "list": [ + { + "current": null, + "hide": 0, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS_KYVERNO", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": ".*", + "current": { + "selected": false, + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "definition": "label_values(kyverno_policy_results_total, cluster)", + "hide": 0, + "includeAll": true, + "label": "Cluster", + "multi": true, + "name": "cluster", + "options": [], + "query": "label_values(kyverno_policy_results_total, cluster)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Kyverno Metrics", + "uid": "Rg8lWBG7k", + "version": 2, + "weekStart": "" + } diff --git a/charts/kyverno/charts/grafana/templates/dashboard.yaml b/charts/kyverno/charts/grafana/templates/dashboard.yaml index 4da55477bf..376cc65d39 100644 --- a/charts/kyverno/charts/grafana/templates/dashboard.yaml +++ b/charts/kyverno/charts/grafana/templates/dashboard.yaml @@ -19,6 +19,8 @@ metadata: name: {{ tpl $.Values.configMapName $ }}-{{ $name }} namespace: {{ default (include "kyverno.namespace" $ ) $.Values.namespace }} spec: + allowCrossNamespaceImport: {{ $.Values.grafanaDashboard.allowCrossNamespaceImport }} + folder: {{ $.Values.grafanaDashboard.folder }} instanceSelector: matchLabels: {{- toYaml $.Values.grafanaDashboard.matchLabels | nindent 6 }} diff --git a/charts/kyverno/ci/cleanupController-values.yaml b/charts/kyverno/ci/cleanupController-values.yaml deleted file mode 100644 index c6a552b2d5..0000000000 --- a/charts/kyverno/ci/cleanupController-values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -cleanupController: - enabled: true diff --git a/charts/kyverno/ci/cleanupJobs-values.yaml b/charts/kyverno/ci/cleanupJobs-values.yaml deleted file mode 100644 index 93c04d945c..0000000000 --- a/charts/kyverno/ci/cleanupJobs-values.yaml +++ /dev/null @@ -1,29 +0,0 @@ -cleanupJobs: - admissionReports: - nodeSelector: - kubernetes.io/os: linux - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - cleanup - topologyKey: kubernetes.io/hostname - clusterAdmissionReports: - nodeSelector: - kubernetes.io/os: linux - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - cleanup - topologyKey: kubernetes.io/hostname diff --git a/charts/kyverno/ci/default-values.yaml b/charts/kyverno/ci/default-values.yaml deleted file mode 100644 index f5533b97c4..0000000000 --- a/charts/kyverno/ci/default-values.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -## This tests the default values. diff --git a/charts/kyverno/ci/existingImagePullSecrets-values.yaml b/charts/kyverno/ci/existingImagePullSecrets-values.yaml deleted file mode 100644 index b1d447beae..0000000000 --- a/charts/kyverno/ci/existingImagePullSecrets-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -existingImagePullSecrets: -- test-registry -- other-test-registry diff --git a/charts/kyverno/ci/extraContainers-values.yaml b/charts/kyverno/ci/extraContainers-values.yaml deleted file mode 100644 index a8d7265c09..0000000000 --- a/charts/kyverno/ci/extraContainers-values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -admissionController: - extraContainers: - - name: myapp-container - image: busybox - command: ['sh', '-c', 'echo Hello && sleep 3600'] - - extraInitContainers: - - name: init-container - image: busybox - command: ['sh', '-c', 'echo Hello'] diff --git a/charts/kyverno/ci/hooks-values.yaml b/charts/kyverno/ci/hooks-values.yaml deleted file mode 100644 index d0d98ab277..0000000000 --- a/charts/kyverno/ci/hooks-values.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -webhooksCleanup: - enable: true - nodeSelector: - kubernetes.io/os: linux - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - hooks - topologyKey: kubernetes.io/hostname diff --git a/charts/kyverno/ci/imagePullSecrets-values.yaml b/charts/kyverno/ci/imagePullSecrets-values.yaml deleted file mode 100644 index 4ccd122664..0000000000 --- a/charts/kyverno/ci/imagePullSecrets-values.yaml +++ /dev/null @@ -1,9 +0,0 @@ -imagePullSecrets: - regcred: - registry: foo.example.com - username: foobar - password: secret - regcred2: - registry: bar.example.com - username: barbaz - password: secret2 diff --git a/charts/kyverno/ci/imageRegistry-values.yaml b/charts/kyverno/ci/imageRegistry-values.yaml deleted file mode 100644 index 6781293fcf..0000000000 --- a/charts/kyverno/ci/imageRegistry-values.yaml +++ /dev/null @@ -1,15 +0,0 @@ -test: - image: - registry: docker.io - repository: busybox - -admissionController: - container: - image: - registry: ko.local - repository: github.com/kyverno/kyverno/cmd/kyverno - - initContainer: - image: - registry: ko.local - repository: github.com/kyverno/kyverno/cmd/initcontainer diff --git a/charts/kyverno/ci/monitoring-values.yaml b/charts/kyverno/ci/monitoring-values.yaml deleted file mode 100644 index 21a28adab6..0000000000 --- a/charts/kyverno/ci/monitoring-values.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -admissionController: - serviceMonitor: - enabled: true - relabelings: - - action: labeldrop - regex: container - -cleanupController: - serviceMonitor: - enabled: true - relabelings: - - action: labeldrop - regex: container - -backgroundController: - serviceMonitor: - enabled: true - relabelings: - - action: labeldrop - regex: container - -reportsController: - serviceMonitor: - enabled: true - relabelings: - - action: labeldrop - regex: container - -grafana: - enabled: true diff --git a/charts/kyverno/ci/networkpolicy-values.yaml b/charts/kyverno/ci/networkpolicy-values.yaml deleted file mode 100644 index dccffd6e58..0000000000 --- a/charts/kyverno/ci/networkpolicy-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- -networkPolicy: - enabled: true diff --git a/charts/kyverno/ci/replicas-values.yaml b/charts/kyverno/ci/replicas-values.yaml deleted file mode 100644 index 7c1620eacd..0000000000 --- a/charts/kyverno/ci/replicas-values.yaml +++ /dev/null @@ -1,11 +0,0 @@ -admissionController: - replicas: 1 - -cleanupController: - replicas: 1 - -reportsController: - replicas: 1 - -backgroundController: - replicas: 1 diff --git a/charts/kyverno/templates/NOTES.txt b/charts/kyverno/templates/NOTES.txt index 5eb551ec51..4ee09d74f4 100644 --- a/charts/kyverno/templates/NOTES.txt +++ b/charts/kyverno/templates/NOTES.txt @@ -22,9 +22,9 @@ The following components have been installed in your cluster: {{- end }} {{ if not .Values.admissionController.replicas }} -⚠️ WARNING: Setting the admission controller replica count below 3 means Kyverno is not running in high availability mode. -{{- else if lt (int .Values.admissionController.replicas) 3 }} -⚠️ WARNING: Setting the admission controller replica count below 3 means Kyverno is not running in high availability mode. +⚠️ WARNING: Setting the admission controller replica count below 2 means Kyverno is not running in high availability mode. +{{- else if lt (int .Values.admissionController.replicas) 2 }} +⚠️ WARNING: Setting the admission controller replica count below 2 means Kyverno is not running in high availability mode. {{- end }} {{- if semverCompare "<1.21.0" .Capabilities.KubeVersion.Version }} @@ -40,7 +40,11 @@ The following components have been installed in your cluster: {{- end }} {{- with .Values.features.validatingAdmissionPolicyReports.enabled }} -⚠️ WARNING: Generating reports from ValidatingAdmissionPolicies require a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled. +⚠️ WARNING: Generating reports from ValidatingAdmissionPolicies requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled. +{{- end }} + +{{ if not .Values.features.policyExceptions.enabled }} +⚠️ WARNING: PolicyExceptions are disabled by default. To enable them, set '--enablePolicyException' to true. {{- end }} 💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks. diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl index 7eb2456ab9..f9918d661e 100644 --- a/charts/kyverno/templates/_helpers.tpl +++ b/charts/kyverno/templates/_helpers.tpl @@ -12,6 +12,9 @@ {{- $flags := list -}} {{- with .admissionReports -}} {{- $flags = append $flags (print "--admissionReports=" .enabled) -}} + {{- with .backPressureThreshold -}} + {{- $flags = append $flags (print "--maxAdmissionReports=" .) -}} + {{- end -}} {{- end -}} {{- with .aggregateReports -}} {{- $flags = append $flags (print "--aggregateReports=" .enabled) -}} @@ -46,13 +49,19 @@ {{- with .generateValidatingAdmissionPolicy -}} {{- $flags = append $flags (print "--generateValidatingAdmissionPolicy=" .enabled) -}} {{- end -}} +{{- with .dumpPatches -}} + {{- $flags = append $flags (print "--dumpPatches=" .enabled) -}} +{{- end -}} +{{- with .globalContext -}} + {{- $flags = append $flags (print "--maxAPICallResponseLength=" (int .maxApiCallResponseLength)) -}} +{{- end -}} {{- with .logging -}} {{- $flags = append $flags (print "--loggingFormat=" .format) -}} {{- $flags = append $flags (print "--v=" (join "," .verbosity)) -}} {{- end -}} {{- with .omitEvents -}} {{- with .eventTypes -}} - {{- $flags = append $flags (print "--omit-events=" (join "," .)) -}} + {{- $flags = append $flags (print "--omitEvents=" (join "," .)) -}} {{- end -}} {{- end -}} {{- with .policyExceptions -}} @@ -64,9 +73,6 @@ {{- with .protectManagedResources -}} {{- $flags = append $flags (print "--protectManagedResources=" .enabled) -}} {{- end -}} -{{- with .reports -}} - {{- $flags = append $flags (print "--reportsChunkSize=" .chunkSize) -}} -{{- end -}} {{- with .registryClient -}} {{- $flags = append $flags (print "--allowInsecureRegistry=" .allowInsecure) -}} {{- $flags = append $flags (print "--registryCredentialHelpers=" (join "," .credentialHelpers)) -}} @@ -84,8 +90,30 @@ {{- with .root -}} {{- $flags = append $flags (print "--tufRoot=" .) -}} {{- end -}} + {{- with .rootRaw -}} + {{- $flags = append $flags (print "--tufRootRaw=" .) -}} + {{- end -}} +{{- end -}} +{{- with .reporting -}} + {{- $reportingConfig := list -}} + {{- with .validate -}} + {{- $reportingConfig = append $reportingConfig "validate" -}} + {{- end -}} + {{- with .mutate -}} + {{- $reportingConfig = append $reportingConfig "mutate" -}} + {{- end -}} + {{- with .mutateExisting -}} + {{- $reportingConfig = append $reportingConfig "mutateExisting" -}} + {{- end -}} + {{- with .imageVerify -}} + {{- $reportingConfig = append $reportingConfig "imageVerify" -}} + {{- end -}} + {{- with .generate -}} + {{- $reportingConfig = append $reportingConfig "generate" -}} + {{- end -}} + {{- $flags = append $flags (print "--enableReporting=" (join "," $reportingConfig)) -}} {{- end -}} {{- with $flags -}} {{- toYaml . -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/kyverno/templates/_helpers/_flowcontrol.tpl b/charts/kyverno/templates/_helpers/_flowcontrol.tpl index 39bae46907..d6fb1077e3 100644 --- a/charts/kyverno/templates/_helpers/_flowcontrol.tpl +++ b/charts/kyverno/templates/_helpers/_flowcontrol.tpl @@ -1,7 +1,9 @@ {{/* vim: set filetype=mustache: */}} {{- define "kyverno.flowcontrol.apiVersion" -}} -{{- if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1beta3" -}} +{{- if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1" -}} + flowcontrol.apiserver.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1beta3" -}} flowcontrol.apiserver.k8s.io/v1beta3 {{- else if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1beta2" -}} flowcontrol.apiserver.k8s.io/v1beta2 diff --git a/charts/kyverno/templates/_helpers/_image.tpl b/charts/kyverno/templates/_helpers/_image.tpl index 90f95d0c31..7f804917d1 100644 --- a/charts/kyverno/templates/_helpers/_image.tpl +++ b/charts/kyverno/templates/_helpers/_image.tpl @@ -5,7 +5,7 @@ {{- if not (typeIs "string" $tag) -}} {{ fail "Image tags must be strings." }} {{- end -}} -{{- $imageRegistry := default .image.registry .globalRegistry -}} +{{- $imageRegistry := default (default .image.defaultRegistry .globalRegistry) .image.registry -}} {{- if $imageRegistry -}} {{- print $imageRegistry "/" (required "An image repository is required" .image.repository) ":" $tag -}} {{- else -}} diff --git a/charts/kyverno/templates/_helpers/_pdb.tpl b/charts/kyverno/templates/_helpers/_pdb.tpl index 4d4af90599..7453303fd0 100644 --- a/charts/kyverno/templates/_helpers/_pdb.tpl +++ b/charts/kyverno/templates/_helpers/_pdb.tpl @@ -3,10 +3,8 @@ {{- define "kyverno.pdb.apiVersion" -}} {{- if .Values.apiVersionOverride.podDisruptionBudget -}} {{- .Values.apiVersionOverride.podDisruptionBudget -}} -{{- else if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} - policy/v1 {{- else -}} - policy/v1beta1 + policy/v1 {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/admission-controller/_helpers.tpl b/charts/kyverno/templates/admission-controller/_helpers.tpl index 2c9ece0a28..0be041a2eb 100644 --- a/charts/kyverno/templates/admission-controller/_helpers.tpl +++ b/charts/kyverno/templates/admission-controller/_helpers.tpl @@ -33,3 +33,7 @@ {{- define "kyverno.admission-controller.serviceName" -}} {{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{- define "kyverno.admission-controller.caCertificatesConfigMapName" -}} +{{ printf "%s-ca-certificates" (include "kyverno.admission-controller.name" .) }} +{{- end -}} \ No newline at end of file diff --git a/charts/kyverno/templates/admission-controller/clusterrole.yaml b/charts/kyverno/templates/admission-controller/clusterrole.yaml index 75e8862cbc..4b88f57376 100644 --- a/charts/kyverno/templates/admission-controller/clusterrole.yaml +++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml @@ -7,6 +7,8 @@ metadata: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} aggregationRule: clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-admission-controller: "true" - matchLabels: {{- include "kyverno.admission-controller.matchLabels" . | nindent 8 }} --- @@ -14,9 +16,23 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "kyverno.admission-controller.roleName" . }}:core + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/webhooks + - kyverno.io/exceptionwebhooks + - kyverno.io/globalcontextwebhooks + {{- end }} + {{- end }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} rules: + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get - apiGroups: - admissionregistration.k8s.io resources: @@ -43,6 +59,7 @@ rules: - rolebindings - clusterrolebindings verbs: + - get - list - watch - apiGroups: @@ -54,10 +71,40 @@ rules: - clusterpolicies/status - updaterequests - updaterequests/status - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports + - globalcontextentries + - globalcontextentries/status + - policyexceptions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - policies.kyverno.io + resources: + - validatingpolicies + - validatingpolicies/status + - policyexceptions + - imagevalidatingpolicies + - imagevalidatingpolicies/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - reports.kyverno.io + resources: + - ephemeralreports + - clusterephemeralreports verbs: - create - delete @@ -99,13 +146,53 @@ rules: verbs: - create - apiGroups: - - '*' + - '' resources: - - '*' + - configmaps + - namespaces verbs: - get - list - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - update + - patch + - get + - list + - watch + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + resourceNames: + - {{ template "kyverno.admission-controller.roleName" . }} + - {{ template "kyverno.admission-controller.roleName" . }}:core + - {{ template "kyverno.admission-controller.roleName" . }}:temporary + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + verbs: + - create + - list + {{- end }} + {{- end }} +{{- with .Values.admissionController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- with .Values.admissionController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml b/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml index 6272deec4d..4cd35b6164 100644 --- a/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml +++ b/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml @@ -13,4 +13,21 @@ subjects: - kind: ServiceAccount name: {{ template "kyverno.admission-controller.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} +{{- if .Values.admissionController.rbac.createViewRoleBinding }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.admission-controller.roleName" . }}:view + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.admissionController.rbac.viewRoleName }} +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.admission-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/admission-controller/configmap.yaml b/charts/kyverno/templates/admission-controller/configmap.yaml new file mode 100644 index 0000000000..d0b2bf66e4 --- /dev/null +++ b/charts/kyverno/templates/admission-controller/configmap.yaml @@ -0,0 +1,12 @@ +{{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kyverno.admission-controller.caCertificatesConfigMapName" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +data: + ca-certificates: | + {{ .Values.admissionController.caCertificates.data | default .Values.global.caCertificates.data | indent 4 | trim }} +{{- end -}} diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml index 42e3396ccf..7c61fe64da 100644 --- a/charts/kyverno/templates/admission-controller/deployment.yaml +++ b/charts/kyverno/templates/admission-controller/deployment.yaml @@ -4,10 +4,23 @@ kind: Deployment metadata: name: {{ template "kyverno.admission-controller.name" . }} namespace: {{ template "kyverno.namespace" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/webhooks + - kyverno.io/exceptionwebhooks + - kyverno.io/globalcontextwebhooks + {{- end }} + {{- end }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} + {{- with .Values.admissionController.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} spec: replicas: {{ template "kyverno.deployment.replicas" .Values.admissionController.replicas }} + revisionHistoryLimit: {{ .Values.admissionController.revisionHistoryLimit }} {{- with .Values.admissionController.updateStrategy }} strategy: {{- toYaml . | nindent 4 }} @@ -26,7 +39,7 @@ spec: annotations: {{ tpl (toYaml .) $ | nindent 8 }} {{- end }} spec: - {{- with .Values.admissionController.imagePullSecrets }} + {{- with .Values.admissionController.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} @@ -34,11 +47,11 @@ spec: securityContext: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.admissionController.nodeSelector }} + {{- with .Values.admissionController.nodeSelector | default .Values.global.nodeSelector }} nodeSelector: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.admissionController.tolerations }} + {{- with .Values.admissionController.tolerations | default .Values.global.tolerations}} tolerations: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} @@ -55,6 +68,10 @@ spec: {{- with .Values.admissionController.dnsPolicy }} dnsPolicy: {{ . }} {{- end }} + {{- with .Values.admissionController.dnsConfig }} + dnsConfig: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} {{- if or .Values.admissionController.antiAffinity.enabled .Values.admissionController.podAffinity .Values.admissionController.nodeAffinity }} affinity: {{- if .Values.admissionController.antiAffinity.enabled }} @@ -78,10 +95,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} - name: kyverno-pre - image: {{ include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag)) | quote }} + image: {{ include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag)) | quote }} imagePullPolicy: {{ default .Values.admissionController.container.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }} args: - {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride) + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.admissionController.featuresOverride) "logging" ) | nindent 12 }} {{- range $key, $value := .Values.admissionController.initContainer.extraArgs }} @@ -100,6 +117,8 @@ spec: env: - name: KYVERNO_SERVICEACCOUNT_NAME value: {{ template "kyverno.admission-controller.serviceAccountName" . }} + - name: KYVERNO_ROLE_NAME + value: {{ template "kyverno.admission-controller.roleName" . }} - name: INIT_CONFIG value: {{ template "kyverno.config.configMapName" . }} - name: METRICS_CONFIG @@ -116,7 +135,7 @@ spec: value: {{ template "kyverno.admission-controller.name" . }} - name: KYVERNO_SVC value: {{ template "kyverno.admission-controller.serviceName" . }} - {{- with .Values.admissionController.initContainer.extraEnvVars }} + {{- with (concat .Values.global.extraEnvVars .Values.admissionController.initContainer.extraEnvVars) }} {{- toYaml . | nindent 10 }} {{- end }} containers: @@ -124,13 +143,19 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} - name: kyverno - image: {{ include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }} + image: {{ include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }} imagePullPolicy: {{ .Values.admissionController.container.image.pullPolicy }} args: - --caSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca - --tlsSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair - --backgroundServiceAccountName=system:serviceaccount:{{ include "kyverno.namespace" . }}:{{ include "kyverno.background-controller.serviceAccountName" . }} + - --reportsServiceAccountName=system:serviceaccount:{{ include "kyverno.namespace" . }}:{{ include "kyverno.reports-controller.serviceAccountName" . }} - --servicePort={{ .Values.admissionController.service.port }} + - --webhookServerPort={{ .Values.admissionController.webhookServer.port }} + - --resyncPeriod={{ .Values.admissionController.resyncPeriod | default .Values.global.resyncPeriod }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + - --autoDeleteWebhooks + {{- end }} {{- if .Values.admissionController.tracing.enabled }} - --enableTracing - --tracingAddress={{ .Values.admissionController.tracing.address }} @@ -153,7 +178,8 @@ spec: {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }} - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }} {{- end }} - {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride) + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.admissionController.featuresOverride) + "reporting" "admissionReports" "autoUpdateWebhooks" "configMapCaching" @@ -161,6 +187,8 @@ spec: "dumpPayload" "forceFailurePolicyIgnore" "generateValidatingAdmissionPolicy" + "dumpPatches" + "globalContext" "logging" "omitEvents" "policyExceptions" @@ -173,6 +201,10 @@ spec: - --{{ $key }}={{ $value }} {{- end }} {{- end }} + {{ if .Values.admissionController.profiling.enabled }} + - --profile=true + - --profilePort={{ .Values.admissionController.profiling.port }} + {{- end }} {{- with .Values.admissionController.container.resources }} resources: {{- tpl (toYaml .) $ | nindent 12 }} @@ -182,12 +214,17 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} ports: - - containerPort: 9443 + - containerPort: {{ .Values.admissionController.webhookServer.port }} name: https protocol: TCP - - containerPort: 8000 + - containerPort: {{ .Values.admissionController.metering.port }} name: metrics-port protocol: TCP + {{ if .Values.admissionController.profiling.enabled }} + - containerPort: {{ .Values.admissionController.profiling.port }} + name: profiling-port + protocol: TCP + {{- end }} env: - name: INIT_CONFIG value: {{ template "kyverno.config.configMapName" . }} @@ -203,11 +240,13 @@ spec: fieldPath: metadata.name - name: KYVERNO_SERVICEACCOUNT_NAME value: {{ template "kyverno.admission-controller.serviceAccountName" . }} + - name: KYVERNO_ROLE_NAME + value: {{ template "kyverno.admission-controller.roleName" . }} - name: KYVERNO_SVC value: {{ template "kyverno.admission-controller.serviceName" . }} - name: TUF_ROOT value: {{ .Values.admissionController.tufRootMountPath }} - {{- with .Values.admissionController.container.extraEnvVars }} + {{- with (concat .Values.global.extraEnvVars .Values.admissionController.container.extraEnvVars) }} {{- toYaml . | nindent 10 }} {{- end }} - name: KYVERNO_DEPLOYMENT @@ -227,7 +266,27 @@ spec: volumeMounts: - mountPath: {{ .Values.admissionController.tufRootMountPath }} name: sigstore + {{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data .Values.admissionController.caCertificates.volume .Values.global.caCertificates.volume }} + - name: ca-certificates + mountPath: /etc/ssl/certs/ca-certificates.crt + {{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data }} + subPath: ca-certificates.crt + {{- end }} + {{- end }} volumes: - name: sigstore {{- toYaml (required "A valid .Values.admissionController.sigstoreVolume entry is required" .Values.admissionController.sigstoreVolume) | nindent 8 }} + {{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data }} + - name: ca-certificates + configMap: + name: {{ include "kyverno.admission-controller.caCertificatesConfigMapName" . }} + items: + - key: ca-certificates + path: ca-certificates.crt + {{- else if or .Values.admissionController.caCertificates.volume .Values.global.caCertificates.volume }} + {{- with (.Values.admissionController.caCertificates.volume | default .Values.global.caCertificates.volume) }} + - name: ca-certificates + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} {{- end -}} diff --git a/charts/kyverno/templates/admission-controller/flowschema.yaml b/charts/kyverno/templates/admission-controller/flowschema.yaml index e1a9e4e11e..779eeefc43 100644 --- a/charts/kyverno/templates/admission-controller/flowschema.yaml +++ b/charts/kyverno/templates/admission-controller/flowschema.yaml @@ -50,8 +50,8 @@ spec: resources: - clusterpolicies - clusterpolicies/status - - clusteradmissionreports - - clusterbackgroundscanreports + - globalcontextentries + - globalcontextentries/status verbs: - create - delete @@ -70,8 +70,35 @@ spec: - policies/status - updaterequests - updaterequests/status - - admissionreports - - backgroundscanreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - reports.kyverno.io + clusterScope: true + resources: + - clusterephemeralreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - reports.kyverno.io + namespaces: + - '*' + resources: + - ephemeralreports verbs: - create - delete @@ -192,4 +219,4 @@ spec: serviceAccount: name: {{ template "kyverno.admission-controller.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kyverno/templates/admission-controller/horizontalpodautoscaler.yaml b/charts/kyverno/templates/admission-controller/horizontalpodautoscaler.yaml new file mode 100644 index 0000000000..3179de5c44 --- /dev/null +++ b/charts/kyverno/templates/admission-controller/horizontalpodautoscaler.yaml @@ -0,0 +1,28 @@ +{{- if .Values.admissionController.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "kyverno.admission-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "kyverno.admission-controller.name" . }} + minReplicas: {{ .Values.admissionController.autoscaling.minReplicas }} + maxReplicas: {{ .Values.admissionController.autoscaling.maxReplicas }} + metrics: + - resource: + name: cpu + target: + averageUtilization: {{ .Values.admissionController.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + type: Resource + {{- with .Values.admissionController.autoscaling.behavior }} + behavior: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + targetCPUUtilizationPercentage: {{ .Values.admissionController.autoscaling.targetCPUUtilizationPercentage }} +{{- end }} diff --git a/charts/kyverno/templates/admission-controller/prioritylevelconfiguration.yaml b/charts/kyverno/templates/admission-controller/prioritylevelconfiguration.yaml index d0f6c77278..c248da9eac 100644 --- a/charts/kyverno/templates/admission-controller/prioritylevelconfiguration.yaml +++ b/charts/kyverno/templates/admission-controller/prioritylevelconfiguration.yaml @@ -7,6 +7,6 @@ metadata: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} {{- with .Values.admissionController.priorityLevelConfigurationSpec }} spec: - {{- tpl (toYaml .) $ | nindent 8 }} + {{- tpl (toYaml .) $ | nindent 2 }} {{- end }} {{- end }} diff --git a/charts/kyverno/templates/admission-controller/role.yaml b/charts/kyverno/templates/admission-controller/role.yaml index b5d621786c..c24a6ea544 100644 --- a/charts/kyverno/templates/admission-controller/role.yaml +++ b/charts/kyverno/templates/admission-controller/role.yaml @@ -4,6 +4,14 @@ kind: Role metadata: name: {{ template "kyverno.admission-controller.roleName" . }} namespace: {{ template "kyverno.namespace" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/webhooks + - kyverno.io/exceptionwebhooks + - kyverno.io/globalcontextwebhooks + {{- end }} + {{- end }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} rules: @@ -11,10 +19,12 @@ rules: - '' resources: - secrets + - serviceaccounts verbs: - get - list - watch + - patch - create - update - delete @@ -39,6 +49,29 @@ rules: - get - patch - update + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + resourceNames: + - {{ template "kyverno.admission-controller.roleName" . }} + - {{ template "kyverno.admission-controller.roleName" . }}:temporary + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + {{- end }} + {{- end }} # Allow update of Kyverno deployment annotations - apiGroups: - apps diff --git a/charts/kyverno/templates/admission-controller/rolebinding.yaml b/charts/kyverno/templates/admission-controller/rolebinding.yaml index b2045b17b6..e54046c78d 100644 --- a/charts/kyverno/templates/admission-controller/rolebinding.yaml +++ b/charts/kyverno/templates/admission-controller/rolebinding.yaml @@ -4,6 +4,14 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "kyverno.admission-controller.roleName" . }} namespace: {{ template "kyverno.namespace" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/webhooks + - kyverno.io/exceptionwebhooks + - kyverno.io/globalcontextwebhooks + {{- end }} + {{- end }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} roleRef: diff --git a/charts/kyverno/templates/admission-controller/service.yaml b/charts/kyverno/templates/admission-controller/service.yaml index 8e900205f6..4e3f8d568e 100644 --- a/charts/kyverno/templates/admission-controller/service.yaml +++ b/charts/kyverno/templates/admission-controller/service.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Service metadata: @@ -14,14 +15,15 @@ spec: targetPort: https protocol: TCP name: https + appProtocol: https {{- if and (eq .Values.admissionController.service.type "NodePort") (not (empty .Values.admissionController.service.nodePort)) }} nodePort: {{ .Values.admissionController.service.nodePort }} {{- end }} selector: {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }} type: {{ .Values.admissionController.service.type }} ---- {{- if .Values.admissionController.metricsService.create }} +--- apiVersion: v1 kind: Service metadata: @@ -35,7 +37,7 @@ metadata: spec: ports: - port: {{ .Values.admissionController.metricsService.port }} - targetPort: 8000 + targetPort: {{ .Values.admissionController.metering.port }} protocol: TCP name: metrics-port {{- if and (eq .Values.admissionController.metricsService.type "NodePort") (not (empty .Values.admissionController.metricsService.nodePort)) }} @@ -45,3 +47,25 @@ spec: {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }} type: {{ .Values.admissionController.metricsService.type }} {{- end -}} +{{- if .Values.admissionController.profiling.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.admission-controller.serviceName" . }}-profiling + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.admissionController.profiling.port }} + targetPort: {{ .Values.admissionController.profiling.port }} + protocol: TCP + name: profiling-port + {{- if and (eq .Values.admissionController.profiling.serviceType "NodePort") (not (empty .Values.admissionController.profiling.nodePort)) }} + nodePort: {{ .Values.admissionController.profiling.nodePort }} + {{- end }} + selector: + {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.admissionController.profiling.serviceType }} +{{- end -}} diff --git a/charts/kyverno/templates/admission-controller/serviceaccount.yaml b/charts/kyverno/templates/admission-controller/serviceaccount.yaml index e78f6bff4a..e6fe87ce7f 100644 --- a/charts/kyverno/templates/admission-controller/serviceaccount.yaml +++ b/charts/kyverno/templates/admission-controller/serviceaccount.yaml @@ -4,6 +4,14 @@ kind: ServiceAccount metadata: name: {{ template "kyverno.admission-controller.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/webhooks + - kyverno.io/exceptionwebhooks + - kyverno.io/globalcontextwebhooks + {{- end }} + {{- end }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} {{- with .Values.admissionController.rbac.serviceAccount.annotations }} diff --git a/charts/kyverno/templates/background-controller/_helpers.tpl b/charts/kyverno/templates/background-controller/_helpers.tpl index 20d0fd788e..10aac22b48 100644 --- a/charts/kyverno/templates/background-controller/_helpers.tpl +++ b/charts/kyverno/templates/background-controller/_helpers.tpl @@ -19,7 +19,7 @@ {{- end -}} {{- define "kyverno.background-controller.image" -}} -{{- $imageRegistry := default .image.registry .globalRegistry -}} +{{- $imageRegistry := default (default .image.defaultRegistry .globalRegistry) .image.registry -}} {{- if $imageRegistry -}} {{ $imageRegistry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} {{- else -}} @@ -38,3 +38,7 @@ {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.backgroundController.rbac.serviceAccount.name }} {{- end -}} {{- end -}} + +{{- define "kyverno.background-controller.caCertificatesConfigMapName" -}} +{{ printf "%s-ca-certificates" (include "kyverno.background-controller.name" .) }} +{{- end -}} diff --git a/charts/kyverno/templates/background-controller/clusterrole.yaml b/charts/kyverno/templates/background-controller/clusterrole.yaml index c4cd49a5d3..2b2ade2834 100644 --- a/charts/kyverno/templates/background-controller/clusterrole.yaml +++ b/charts/kyverno/templates/background-controller/clusterrole.yaml @@ -8,6 +8,8 @@ metadata: {{- include "kyverno.background-controller.labels" . | nindent 4 }} aggregationRule: clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-background-controller: "true" - matchLabels: {{- include "kyverno.background-controller.matchLabels" . | nindent 8 }} --- @@ -18,14 +20,24 @@ metadata: labels: {{- include "kyverno.background-controller.labels" . | nindent 4 }} rules: + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get - apiGroups: - kyverno.io resources: - policies + - policies/status - clusterpolicies + - clusterpolicies/status - policyexceptions - updaterequests - updaterequests/status + - globalcontextentries + - globalcontextentries/status verbs: - create - delete @@ -56,6 +68,20 @@ rules: - patch - update - watch + - apiGroups: + - reports.kyverno.io + resources: + - ephemeralreports + - clusterephemeralreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection {{- with .Values.backgroundController.rbac.coreClusterRole.extraResources }} {{- toYaml . | nindent 2 }} {{- end }} diff --git a/charts/kyverno/templates/background-controller/clusterrolebinding.yaml b/charts/kyverno/templates/background-controller/clusterrolebinding.yaml index 7dcbfffe6c..6e8073030b 100644 --- a/charts/kyverno/templates/background-controller/clusterrolebinding.yaml +++ b/charts/kyverno/templates/background-controller/clusterrolebinding.yaml @@ -14,5 +14,22 @@ subjects: - kind: ServiceAccount name: {{ template "kyverno.background-controller.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} +{{- if .Values.backgroundController.rbac.createViewRoleBinding }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.background-controller.roleName" . }}:view + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.backgroundController.rbac.viewRoleName }} +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.background-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/background-controller/configmap.yaml b/charts/kyverno/templates/background-controller/configmap.yaml new file mode 100644 index 0000000000..6979ca652a --- /dev/null +++ b/charts/kyverno/templates/background-controller/configmap.yaml @@ -0,0 +1,12 @@ +{{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kyverno.background-controller.caCertificatesConfigMapName" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +data: + ca-certificates: | + {{ .Values.backgroundController.caCertificates.data | default .Values.global.caCertificates.data | indent 4 | trim }} +{{- end -}} diff --git a/charts/kyverno/templates/background-controller/deployment.yaml b/charts/kyverno/templates/background-controller/deployment.yaml index bb80f5f42f..e3c9979da8 100644 --- a/charts/kyverno/templates/background-controller/deployment.yaml +++ b/charts/kyverno/templates/background-controller/deployment.yaml @@ -7,8 +7,13 @@ metadata: namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.background-controller.labels" . | nindent 4 }} + {{- with .Values.backgroundController.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} spec: replicas: {{ template "kyverno.deployment.replicas" .Values.backgroundController.replicas }} + revisionHistoryLimit: {{ .Values.backgroundController.revisionHistoryLimit }} {{- with .Values.backgroundController.updateStrategy }} strategy: {{- toYaml . | nindent 4 }} @@ -27,19 +32,19 @@ spec: annotations: {{ tpl (toYaml .) $ | nindent 8 }} {{- end }} spec: - {{- with .Values.backgroundController.imagePullSecrets }} - imagePullSecrets: + {{- with .Values.backgroundController.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- with .Values.backgroundController.podSecurityContext }} securityContext: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.backgroundController.nodeSelector }} + {{- with .Values.backgroundController.nodeSelector | default .Values.global.nodeSelector }} nodeSelector: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.backgroundController.tolerations }} + {{- with .Values.backgroundController.tolerations | default .Values.global.tolerations}} tolerations: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} @@ -56,6 +61,10 @@ spec: {{- with .Values.backgroundController.dnsPolicy }} dnsPolicy: {{ . }} {{- end }} + {{- with .Values.backgroundController.dnsConfig }} + dnsConfig: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} {{- if or .Values.backgroundController.antiAffinity.enabled .Values.backgroundController.podAffinity .Values.backgroundController.nodeAffinity }} affinity: {{- if .Values.backgroundController.antiAffinity.enabled }} @@ -76,15 +85,20 @@ spec: serviceAccountName: {{ template "kyverno.background-controller.serviceAccountName" . }} containers: - name: controller - image: {{ include "kyverno.background-controller.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.backgroundController.image "defaultTag" .Chart.AppVersion) | quote }} + image: {{ include "kyverno.background-controller.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.backgroundController.image "defaultTag" .Chart.AppVersion) | quote }} imagePullPolicy: {{ .Values.backgroundController.image.pullPolicy }} ports: - - containerPort: 9443 + - containerPort: {{ .Values.backgroundController.server.port }} name: https protocol: TCP - - containerPort: 8000 + - containerPort: {{ .Values.backgroundController.metering.port }} name: metrics protocol: TCP + {{ if .Values.backgroundController.profiling.enabled }} + - containerPort: {{ .Values.backgroundController.profiling.port }} + name: profiling-port + protocol: TCP + {{- end }} args: {{- if .Values.backgroundController.tracing.enabled }} - --enableTracing @@ -108,9 +122,12 @@ spec: {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }} - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }} {{- end }} - {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.backgroundController.featuresOverride) + - --resyncPeriod={{ .Values.backgroundController.resyncPeriod | default .Values.global.resyncPeriod }} + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.backgroundController.featuresOverride) + "reporting" "configMapCaching" "deferredLoading" + "globalContext" "logging" "omitEvents" "policyExceptions" @@ -120,6 +137,10 @@ spec: - --{{ $key }}={{ $value }} {{- end }} {{- end }} + {{ if .Values.backgroundController.profiling.enabled }} + - --profile=true + - --profilePort={{ .Values.backgroundController.profiling.port }} + {{- end }} env: - name: KYVERNO_SERVICEACCOUNT_NAME value: {{ template "kyverno.background-controller.serviceAccountName" . }} @@ -137,7 +158,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - {{- with .Values.backgroundController.extraEnvVars }} + {{- with (concat .Values.global.extraEnvVars .Values.backgroundController.extraEnvVars) }} {{- toYaml . | nindent 10 }} {{- end }} {{- with .Values.backgroundController.resources }} @@ -148,5 +169,29 @@ spec: securityContext: {{- toYaml . | nindent 12 }} {{- end }} + {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data .Values.backgroundController.caCertificates.volume .Values.global.caCertificates.volume }} + volumeMounts: + - name: ca-certificates + mountPath: /etc/ssl/certs/ca-certificates.crt + {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data }} + subPath: ca-certificates.crt + {{- end }} + {{- end }} + {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data .Values.backgroundController.caCertificates.volume .Values.global.caCertificates.volume }} + volumes: + {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data }} + - name: ca-certificates + configMap: + name: {{ include "kyverno.background-controller.caCertificatesConfigMapName" . }} + items: + - key: ca-certificates + path: ca-certificates.crt + {{- else if or .Values.backgroundController.caCertificates.volume .Values.global.caCertificates.volume }} + {{- with (.Values.backgroundController.caCertificates.volume | default .Values.global.caCertificates.volume) }} + - name: ca-certificates + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- end }} {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/background-controller/service.yaml b/charts/kyverno/templates/background-controller/service.yaml index ad84fdfd39..876f228b89 100644 --- a/charts/kyverno/templates/background-controller/service.yaml +++ b/charts/kyverno/templates/background-controller/service.yaml @@ -1,5 +1,6 @@ {{- if .Values.backgroundController.enabled -}} {{- if .Values.backgroundController.metricsService.create -}} +--- apiVersion: v1 kind: Service metadata: @@ -14,7 +15,7 @@ metadata: spec: ports: - port: {{ .Values.backgroundController.metricsService.port }} - targetPort: 8000 + targetPort: {{ .Values.backgroundController.metering.port }} protocol: TCP name: metrics-port {{- if and (eq .Values.backgroundController.metricsService.type "NodePort") (not (empty .Values.backgroundController.metricsService.nodePort)) }} @@ -25,3 +26,25 @@ spec: type: {{ .Values.backgroundController.metricsService.type }} {{- end -}} {{- end -}} +{{- if .Values.backgroundController.profiling.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.background-controller.name" . }}-profiling + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.backgroundController.profiling.port }} + targetPort: {{ .Values.backgroundController.profiling.port }} + protocol: TCP + name: profiling-port + {{- if and (eq .Values.backgroundController.profiling.serviceType "NodePort") (not (empty .Values.backgroundController.profiling.nodePort)) }} + nodePort: {{ .Values.backgroundController.profiling.nodePort }} + {{- end }} + selector: + {{- include "kyverno.background-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.backgroundController.profiling.serviceType }} +{{- end -}} diff --git a/charts/kyverno/templates/cleanup-controller/_helpers.tpl b/charts/kyverno/templates/cleanup-controller/_helpers.tpl index f8da54e192..1804291d39 100644 --- a/charts/kyverno/templates/cleanup-controller/_helpers.tpl +++ b/charts/kyverno/templates/cleanup-controller/_helpers.tpl @@ -19,7 +19,7 @@ {{- end -}} {{- define "kyverno.cleanup-controller.image" -}} -{{- $imageRegistry := default .image.registry .globalRegistry -}} +{{- $imageRegistry := default (default .image.defaultRegistry .globalRegistry) .image.registry -}} {{- if $imageRegistry -}} {{ $imageRegistry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} {{- else -}} diff --git a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml index 9f20026639..8f1dd0ce17 100644 --- a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml +++ b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml @@ -8,6 +8,8 @@ metadata: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} aggregationRule: clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-cleanup-controller: "true" - matchLabels: {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 8 }} --- @@ -15,9 +17,22 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "kyverno.cleanup-controller.roleName" . }}:core + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/policywebhooks + - kyverno.io/ttlwebhooks + {{- end }} + {{- end }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} rules: + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get - apiGroups: - admissionregistration.k8s.io resources: @@ -45,6 +60,20 @@ rules: verbs: - list - watch + - apiGroups: + - kyverno.io + resources: + - globalcontextentries + - globalcontextentries/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection - apiGroups: - kyverno.io resources: @@ -75,6 +104,31 @@ rules: - subjectaccessreviews verbs: - create + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + resourceNames: + - {{ template "kyverno.cleanup-controller.roleName" . }} + - {{ template "kyverno.cleanup-controller.roleName" . }}:core + - {{ template "kyverno.cleanup-controller.roleName" . }}:temporary + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + verbs: + - create + - list + {{- end }} + {{- end }} {{- with .Values.cleanupController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -87,4 +141,4 @@ rules: {{- toYaml . | nindent 2 }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/kyverno/templates/cleanup-controller/deployment.yaml b/charts/kyverno/templates/cleanup-controller/deployment.yaml index 5f2a3d587b..3b81a62cf3 100644 --- a/charts/kyverno/templates/cleanup-controller/deployment.yaml +++ b/charts/kyverno/templates/cleanup-controller/deployment.yaml @@ -5,10 +5,22 @@ kind: Deployment metadata: name: {{ template "kyverno.cleanup-controller.name" . }} namespace: {{ template "kyverno.namespace" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/policywebhooks + - kyverno.io/ttlwebhooks + {{- end }} + {{- end }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} + {{- with .Values.cleanupController.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} spec: replicas: {{ template "kyverno.deployment.replicas" .Values.cleanupController.replicas }} + revisionHistoryLimit: {{ .Values.cleanupController.revisionHistoryLimit }} {{- with .Values.cleanupController.updateStrategy }} strategy: {{- toYaml . | nindent 4 }} @@ -27,19 +39,19 @@ spec: annotations: {{ tpl (toYaml .) $ | nindent 8 }} {{- end }} spec: - {{- with .Values.cleanupController.imagePullSecrets }} - imagePullSecrets: + {{- with .Values.cleanupController.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- with .Values.cleanupController.podSecurityContext }} securityContext: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.cleanupController.nodeSelector }} + {{- with .Values.cleanupController.nodeSelector | default .Values.global.nodeSelector }} nodeSelector: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.cleanupController.tolerations }} + {{- with .Values.cleanupController.tolerations | default .Values.global.tolerations}} tolerations: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} @@ -56,6 +68,10 @@ spec: {{- with .Values.cleanupController.dnsPolicy }} dnsPolicy: {{ . }} {{- end }} + {{- with .Values.cleanupController.dnsConfig }} + dnsConfig: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} {{- if or .Values.cleanupController.antiAffinity.enabled .Values.cleanupController.podAffinity .Values.cleanupController.nodeAffinity }} affinity: {{- if .Values.cleanupController.antiAffinity.enabled }} @@ -76,19 +92,30 @@ spec: serviceAccountName: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} containers: - name: controller - image: {{ include "kyverno.cleanup-controller.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.cleanupController.image "defaultTag" .Chart.AppVersion) | quote }} + image: {{ include "kyverno.cleanup-controller.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupController.image "defaultTag" .Chart.AppVersion) | quote }} imagePullPolicy: {{ .Values.cleanupController.image.pullPolicy }} ports: - - containerPort: 9443 + - containerPort: {{ .Values.cleanupController.server.port }} name: https protocol: TCP - - containerPort: 8000 + - containerPort: {{ .Values.cleanupController.metering.port }} name: metrics protocol: TCP + {{ if .Values.cleanupController.profiling.enabled }} + - containerPort: {{ .Values.cleanupController.profiling.port }} + name: profiling-port + protocol: TCP + {{- end }} args: - --caSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca - --tlsSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair - --servicePort={{ .Values.cleanupController.service.port }} + - --cleanupServerPort={{ .Values.cleanupController.server.port }} + - --webhookServerPort={{ .Values.cleanupController.webhookServer.port }} + - --resyncPeriod={{ .Values.cleanupController.resyncPeriod | default .Values.global.resyncPeriod }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + - --autoDeleteWebhooks + {{- end }} {{- if .Values.cleanupController.tracing.enabled }} - --enableTracing - --tracingAddress={{ .Values.cleanupController.tracing.address }} @@ -108,17 +135,23 @@ spec: - --transportCreds={{ . }} {{- end }} {{- end }} - {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.cleanupController.featuresOverride) + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.cleanupController.featuresOverride) "deferredLoading" "dumpPayload" + "globalContext" "logging" "ttlController" + "protectManagedResources" ) | nindent 12 }} {{- range $key, $value := .Values.cleanupController.extraArgs }} {{- if $value }} - --{{ $key }}={{ $value }} {{- end }} {{- end }} + {{ if .Values.cleanupController.profiling.enabled }} + - --profile=true + - --profilePort={{ .Values.cleanupController.profiling.port }} + {{- end }} env: - name: KYVERNO_DEPLOYMENT value: {{ template "kyverno.cleanup-controller.name" . }} @@ -132,13 +165,15 @@ spec: fieldPath: metadata.name - name: KYVERNO_SERVICEACCOUNT_NAME value: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} + - name: KYVERNO_ROLE_NAME + value: {{ template "kyverno.cleanup-controller.roleName" . }} - name: KYVERNO_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: KYVERNO_SVC value: {{ template "kyverno.cleanup-controller.name" . }} - {{- with .Values.cleanupController.extraEnvVars }} + {{- with (concat .Values.global.extraEnvVars .Values.cleanupController.extraEnvVars) }} {{- toYaml . | nindent 10 }} {{- end }} {{- with .Values.cleanupController.resources }} @@ -162,4 +197,4 @@ spec: {{- tpl (toYaml .) $ | nindent 12 }} {{- end }} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/kyverno/templates/cleanup-controller/role.yaml b/charts/kyverno/templates/cleanup-controller/role.yaml index 82db80d7dd..7aebf849ac 100644 --- a/charts/kyverno/templates/cleanup-controller/role.yaml +++ b/charts/kyverno/templates/cleanup-controller/role.yaml @@ -4,6 +4,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "kyverno.cleanup-controller.roleName" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/policywebhooks + - kyverno.io/ttlwebhooks + {{- end }} + {{- end }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} namespace: {{ template "kyverno.namespace" . }} @@ -27,6 +34,22 @@ rules: resourceNames: - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + - apiGroups: + - '' + resources: + - serviceaccounts + verbs: + - delete + - get + - list + - update + - watch + resourceNames: + - {{ template "kyverno.cleanup-controller.serviceAccountName" . }} + {{- end }} + {{- end }} - apiGroups: - '' resources: @@ -55,5 +78,42 @@ rules: - update resourceNames: - kyverno-cleanup-controller + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + resourceNames: + - {{ template "kyverno.cleanup-controller.roleName" . }} + - {{ template "kyverno.cleanup-controller.roleName" . }}:temporary + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + {{- end }} + {{- end }} + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + - patch + - update + {{- end }} + {{- end }} {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/cleanup-controller/rolebinding.yaml b/charts/kyverno/templates/cleanup-controller/rolebinding.yaml index 2096f16238..8ccec904bd 100644 --- a/charts/kyverno/templates/cleanup-controller/rolebinding.yaml +++ b/charts/kyverno/templates/cleanup-controller/rolebinding.yaml @@ -4,6 +4,13 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "kyverno.cleanup-controller.roleName" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/policywebhooks + - kyverno.io/ttlwebhooks + {{- end }} + {{- end }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} namespace: {{ template "kyverno.namespace" . }} diff --git a/charts/kyverno/templates/cleanup-controller/service.yaml b/charts/kyverno/templates/cleanup-controller/service.yaml index 65b76735ea..5ae061e6e2 100644 --- a/charts/kyverno/templates/cleanup-controller/service.yaml +++ b/charts/kyverno/templates/cleanup-controller/service.yaml @@ -1,4 +1,5 @@ {{- if .Values.cleanupController.enabled -}} +--- apiVersion: v1 kind: Service metadata: @@ -16,6 +17,7 @@ spec: targetPort: https protocol: TCP name: https + appProtocol: https {{- if and (eq .Values.cleanupController.service.type "NodePort") (not (empty .Values.cleanupController.service.nodePort)) }} nodePort: {{ .Values.cleanupController.service.nodePort }} {{- end }} @@ -38,7 +40,7 @@ metadata: spec: ports: - port: {{ .Values.cleanupController.metricsService.port }} - targetPort: 8000 + targetPort: {{ .Values.cleanupController.metering.port }} protocol: TCP name: metrics-port {{- if and (eq .Values.cleanupController.metricsService.type "NodePort") (not (empty .Values.cleanupController.metricsService.nodePort)) }} @@ -48,4 +50,26 @@ spec: {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }} type: {{ .Values.cleanupController.metricsService.type }} {{- end -}} +{{- if .Values.cleanupController.profiling.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.cleanup-controller.name" . }}-profiling + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.cleanupController.profiling.port }} + targetPort: {{ .Values.cleanupController.profiling.port }} + protocol: TCP + name: profiling-port + {{- if and (eq .Values.cleanupController.profiling.serviceType "NodePort") (not (empty .Values.cleanupController.profiling.nodePort)) }} + nodePort: {{ .Values.cleanupController.profiling.nodePort }} + {{- end }} + selector: + {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.cleanupController.profiling.serviceType }} +{{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml b/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml index a20a186446..d06987029f 100644 --- a/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml +++ b/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml @@ -5,6 +5,13 @@ kind: ServiceAccount metadata: name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/policywebhooks + - kyverno.io/ttlwebhooks + {{- end }} + {{- end }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} {{- with .Values.cleanupController.rbac.serviceAccount.annotations }} diff --git a/charts/kyverno/templates/cleanup/_helpers.tpl b/charts/kyverno/templates/cleanup/_helpers.tpl deleted file mode 100644 index a1b70cb339..0000000000 --- a/charts/kyverno/templates/cleanup/_helpers.tpl +++ /dev/null @@ -1,9 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{- define "kyverno.cleanup.labels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.labels.common" .) - (include "kyverno.matchLabels.common" .) - (include "kyverno.labels.component" "cleanup") -) -}} -{{- end -}} diff --git a/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml deleted file mode 100644 index 52a697f5de..0000000000 --- a/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{- if .Values.cleanupJobs.admissionReports.enabled -}} -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ template "kyverno.name" . }}-cleanup-admission-reports - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.cleanup.labels" . | nindent 4 }} -spec: - schedule: {{ .Values.cleanupJobs.admissionReports.schedule | quote }} - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: {{ .Values.cleanupJobs.admissionReports.history.success }} - failedJobsHistoryLimit: {{ .Values.cleanupJobs.admissionReports.history.failure }} - jobTemplate: - spec: - template: - metadata: - {{- with .Values.cleanupJobs.admissionReports.podAnnotations }} - annotations: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.admissionReports.podLabels }} - labels: - {{- toYaml . | nindent 12 }} - {{- end }} - spec: - serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs - {{- with .Values.cleanupJobs.admissionReports.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - containers: - - name: cleanup - image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.cleanupJobs.admissionReports.image)) | quote }} - imagePullPolicy: {{ .Values.cleanupJobs.admissionReports.image.pullPolicy }} - command: - - /bin/sh - - -c - - | - COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l) - if [ "$COUNT" -gt {{ .Values.cleanupJobs.admissionReports.threshold }} ]; then - echo "too many reports found ($COUNT), cleaning up..." - kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate' - else - echo "($COUNT) reports found, no clean up needed" - fi - {{- with .Values.cleanupJobs.admissionReports.securityContext }} - securityContext: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.admissionReports.resources }} - resources: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.admissionReports.imagePullSecrets }} - imagePullSecrets: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - restartPolicy: OnFailure - {{- with .Values.cleanupJobs.admissionReports.tolerations }} - tolerations: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.admissionReports.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- if or .Values.cleanupJobs.admissionReports.podAntiAffinity .Values.cleanupJobs.admissionReports.podAffinity .Values.cleanupJobs.admissionReports.nodeAffinity }} - affinity: - {{- with .Values.cleanupJobs.admissionReports.podAntiAffinity }} - podAntiAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.admissionReports.podAffinity }} - podAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.admissionReports.nodeAffinity }} - nodeAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml deleted file mode 100644 index e5c50a5880..0000000000 --- a/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{- if .Values.cleanupJobs.clusterAdmissionReports.enabled -}} -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ template "kyverno.name" . }}-cleanup-cluster-admission-reports - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.cleanup.labels" . | nindent 4 }} -spec: - schedule: {{ .Values.cleanupJobs.clusterAdmissionReports.schedule | quote }} - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.history.success }} - failedJobsHistoryLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.history.failure }} - jobTemplate: - spec: - template: - metadata: - {{- with .Values.cleanupJobs.clusterAdmissionReports.podAnnotations }} - annotations: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterAdmissionReports.podLabels }} - labels: - {{- toYaml . | nindent 12 }} - {{- end }} - spec: - serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs - {{- with .Values.cleanupJobs.clusterAdmissionReports.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - containers: - - name: cleanup - image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.cleanupJobs.clusterAdmissionReports.image)) | quote }} - imagePullPolicy: {{ .Values.cleanupJobs.clusterAdmissionReports.image.pullPolicy }} - command: - - /bin/sh - - -c - - | - COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l) - if [ "$COUNT" -gt {{ .Values.cleanupJobs.clusterAdmissionReports.threshold }} ]; then - echo "too many reports found ($COUNT), cleaning up..." - kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate' - else - echo "($COUNT) reports found, no clean up needed" - fi - {{- with .Values.cleanupJobs.clusterAdmissionReports.securityContext }} - securityContext: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterAdmissionReports.resources }} - resources: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterAdmissionReports.imagePullSecrets }} - imagePullSecrets: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - restartPolicy: OnFailure - {{- with .Values.cleanupJobs.clusterAdmissionReports.tolerations }} - tolerations: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterAdmissionReports.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- if or .Values.cleanupJobs.clusterAdmissionReports.podAntiAffinity .Values.cleanupJobs.clusterAdmissionReports.podAffinity .Values.cleanupJobs.clusterAdmissionReports.nodeAffinity }} - affinity: - {{- with .Values.cleanupJobs.clusterAdmissionReports.podAntiAffinity }} - podAntiAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterAdmissionReports.podAffinity }} - podAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterAdmissionReports.nodeAffinity }} - nodeAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/kyverno/templates/cleanup/clusterrole.yaml b/charts/kyverno/templates/cleanup/clusterrole.yaml deleted file mode 100644 index c2137ea9d3..0000000000 --- a/charts/kyverno/templates/cleanup/clusterrole.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.name" . }}-cleanup-jobs - labels: - {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }} -rules: - - apiGroups: - - kyverno.io - resources: - - admissionreports - - clusteradmissionreports - verbs: - - list - - deletecollection - - delete diff --git a/charts/kyverno/templates/cleanup/clusterrolebinding.yaml b/charts/kyverno/templates/cleanup/clusterrolebinding.yaml deleted file mode 100644 index 0587113f64..0000000000 --- a/charts/kyverno/templates/cleanup/clusterrolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.name" . }}-cleanup-jobs - labels: - {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.name" . }}-cleanup-jobs -subjects: - - kind: ServiceAccount - name: {{ template "kyverno.name" . }}-cleanup-jobs - namespace: {{ template "kyverno.namespace" . }} diff --git a/charts/kyverno/templates/cleanup/serviceaccount.yaml b/charts/kyverno/templates/cleanup/serviceaccount.yaml deleted file mode 100644 index f93bdc2e6e..0000000000 --- a/charts/kyverno/templates/cleanup/serviceaccount.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kyverno.name" . }}-cleanup-jobs - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }} diff --git a/charts/kyverno/templates/config/_helpers.tpl b/charts/kyverno/templates/config/_helpers.tpl index 64ec92c634..68dd8019e9 100644 --- a/charts/kyverno/templates/config/_helpers.tpl +++ b/charts/kyverno/templates/config/_helpers.tpl @@ -35,6 +35,9 @@ {{- if .Values.config.excludeKyvernoNamespace -}} {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*/*,%s,*]" (include "kyverno.namespace" .)) -}} {{- end -}} +{{- range $resourceExclude := .Values.config.resourceFiltersExclude -}} + {{- $resourceFilters = without $resourceFilters $resourceExclude -}} +{{- end -}} {{- range $exclude := .Values.config.resourceFiltersExcludeNamespaces -}} {{- range $filter := $resourceFilters -}} {{- if (contains (printf ",%s," $exclude) $filter) -}} @@ -42,6 +45,10 @@ {{- end -}} {{- end -}} {{- end -}} +{{- $resourceFilters = concat $resourceFilters .Values.config.resourceFiltersInclude -}} +{{- range $include := .Values.config.resourceFiltersIncludeNamespaces -}} + {{- $resourceFilters = append $resourceFilters (printf "[*/*,%s,*]" $include) -}} +{{- end -}} {{- range $resourceFilter := $resourceFilters }} {{ tpl $resourceFilter $ }} {{- end -}} @@ -49,14 +56,27 @@ {{- define "kyverno.config.webhooks" -}} {{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }} -{{- $newWebhook := list }} -{{- range $webhook := .Values.config.webhooks }} - {{- $namespaceSelector := default dict $webhook.namespaceSelector }} - {{- $matchExpressions := default list $namespaceSelector.matchExpressions }} +{{- $webhooks := .Values.config.webhooks -}} +{{- if $webhooks | typeIs "slice" -}} + {{- $newWebhooks := dict -}} + {{- range $index, $webhook := $webhooks -}} + {{- if $webhook.namespaceSelector -}} + {{- $namespaceSelector := $webhook.namespaceSelector }} + {{- $matchExpressions := default (list) $namespaceSelector.matchExpressions }} + {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }} + {{- $newWebhook := merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector) }} + {{- $newWebhooks = merge $newWebhooks (dict $webhook.name $newWebhook) }} + {{- end -}} + {{- end -}} + {{- $newWebhooks | toJson }} +{{- else -}} + {{- $webhook := $webhooks }} + {{- $namespaceSelector := default (dict) $webhook.namespaceSelector }} + {{- $matchExpressions := default (list) $namespaceSelector.matchExpressions }} {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }} - {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }} -{{- end }} -{{- $newWebhook | toJson }} + {{- $newWebhook := merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector) }} + {{- $newWebhook | toJson }} +{{- end -}} {{- end -}} {{- define "kyverno.config.imagePullSecret" -}} diff --git a/charts/kyverno/templates/config/configmap.yaml b/charts/kyverno/templates/config/configmap.yaml index 7a0370619a..d10a74d5dd 100644 --- a/charts/kyverno/templates/config/configmap.yaml +++ b/charts/kyverno/templates/config/configmap.yaml @@ -6,10 +6,13 @@ metadata: namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.config.labels" . | nindent 4 }} - {{- with .Values.config.annotations }} annotations: + {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} + {{- if .Values.config.preserve }} + helm.sh/resource-policy: "keep" + {{- end }} data: enableDefaultRegistryMutation: {{ .Values.config.enableDefaultRegistryMutation | quote }} {{- with .Values.config.defaultRegistry }} @@ -32,6 +35,9 @@ data: resourceFilters: >- {{- include "kyverno.config.resourceFilters" . | trim | nindent 4 }} {{- end -}} + {{- with .Values.config.updateRequestThreshold }} + updateRequestThreshold: {{ . | quote }} + {{- end -}} {{- if and .Values.config.webhooks .Values.config.excludeKyvernoNamespace }} webhooks: {{ include "kyverno.config.webhooks" . | quote }} {{- else if .Values.config.webhooks }} @@ -42,6 +48,9 @@ data: {{- with .Values.config.webhookAnnotations }} webhookAnnotations: {{ toJson . | quote }} {{- end }} + {{- with .Values.config.webhookLabels }} + webhookLabels: {{ toJson . | quote }} + {{- end }} {{- with .Values.config.matchConditions }} matchConditions: {{ toJson . | quote }} {{- end }} diff --git a/charts/kyverno/templates/hooks/post-delete-configmap.yaml b/charts/kyverno/templates/hooks/post-delete-configmap.yaml new file mode 100644 index 0000000000..93f0c330ef --- /dev/null +++ b/charts/kyverno/templates/hooks/post-delete-configmap.yaml @@ -0,0 +1,132 @@ +{{- if .Values.config.preserve -}} +{{- if not .Values.templating.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kyverno.fullname" . }}:remove-configmap + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "0" +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - get + - delete +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.fullname" . }}:remove-configmap + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kyverno.fullname" . }}:remove-configmap +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.fullname" . }}-remove-configmap + namespace: {{ template "kyverno.namespace" . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.fullname" . }}-remove-configmap + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "0" +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kyverno.fullname" . }}-remove-configmap + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "10" +spec: + backoffLimit: 2 + template: + metadata: + {{- with .Values.webhooksCleanup.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webhooksCleanup.podLabels }} + labels: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "kyverno.fullname" . }}-remove-configmap + {{- with .Values.webhooksCleanup.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + restartPolicy: Never + {{- with .Values.webhooksCleanup.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + containers: + - name: kubectl + image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }} + imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }} + command: + - /bin/bash + - '-c' + - |- + set -euo pipefail + kubectl delete cm --ignore-not-found -n {{ template "kyverno.namespace" . }} {{ template "kyverno.config.configMapName" . }} + {{- with .Values.webhooksCleanup.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.webhooksCleanup.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.webhooksCleanup.tolerations | default .Values.global.tolerations }} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.webhooksCleanup.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if or .Values.webhooksCleanup.podAntiAffinity .Values.webhooksCleanup.podAffinity .Values.webhooksCleanup.nodeAffinity }} + affinity: + {{- with .Values.webhooksCleanup.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.webhooksCleanup.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.webhooksCleanup.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/hooks/post-upgrade.yaml b/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml similarity index 71% rename from charts/kyverno/templates/hooks/post-upgrade.yaml rename to charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml index 4a3c04f5d6..28fa2eff10 100644 --- a/charts/kyverno/templates/hooks/post-upgrade.yaml +++ b/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml @@ -1,20 +1,29 @@ {{- if .Values.policyReportsCleanup.enabled -}} - {{- if not .Values.templating.enabled -}} +{{- if not .Values.templating.enabled -}} apiVersion: batch/v1 kind: Job metadata: - name: {{ template "kyverno.fullname" . }}-hook-post-upgrade + name: {{ template "kyverno.fullname" . }}-clean-reports namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.hooks.labels" . | nindent 4 }} annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed spec: backoffLimit: 2 template: + metadata: + {{- with .Values.policyReportsCleanup.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.policyReportsCleanup.podLabels }} + labels: + {{- toYaml . | nindent 8 }} + {{- end }} spec: - serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }} + serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} {{- with .Values.policyReportsCleanup.podSecurityContext }} securityContext: {{- tpl (toYaml .) $ | nindent 8 }} @@ -22,12 +31,13 @@ spec: restartPolicy: Never containers: - name: kubectl - image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.policyReportsCleanup.image "defaultTag" (default .Chart.AppVersion .Values.policyReportsCleanup.image.tag))) | quote }} + image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.policyReportsCleanup.image "defaultTag" (default .Chart.AppVersion .Values.policyReportsCleanup.image.tag))) | quote }} imagePullPolicy: {{ .Values.policyReportsCleanup.image.pullPolicy }} command: - /bin/bash - -c - | + set -euo pipefail NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}') for ns in ${NAMESPACES[@]}; @@ -43,30 +53,30 @@ spec: done COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l) - + if [ $COUNT -gt 0 ]; then echo "deleting $COUNT clusterpolicyreports" kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io else echo "no clusterpolicyreports" fi + {{- with .Values.policyReportsCleanup.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} {{- with .Values.policyReportsCleanup.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.policyReportsCleanup.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.policyReportsCleanup.imagePullSecrets }} + {{- with .Values.policyReportsCleanup.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.policyReportsCleanup.tolerations }} + {{- with .Values.policyReportsCleanup.tolerations | default .Values.global.tolerations}} tolerations: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.policyReportsCleanup.nodeSelector }} + {{- with .Values.policyReportsCleanup.nodeSelector | default .Values.global.nodeSelector }} nodeSelector: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} @@ -85,5 +95,5 @@ spec: {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} {{- end }} - {{- end -}} +{{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml b/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml new file mode 100644 index 0000000000..fd3f79d1f6 --- /dev/null +++ b/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml @@ -0,0 +1,142 @@ +{{- if .Values.crds.migration.enabled -}} +{{- if not .Values.templating.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.fullname" . }}:migrate-resources + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "100" +rules: + - apiGroups: + - kyverno.io + resources: + - '*' + verbs: + - get + - list + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions/status + verbs: + - update +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.fullname" . }}:migrate-resources + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "100" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.fullname" . }}:migrate-resources +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.fullname" . }}-migrate-resources + namespace: {{ template "kyverno.namespace" . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.fullname" . }}-migrate-resources + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "100" +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kyverno.fullname" . }}-migrate-resources + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "200" +spec: + backoffLimit: 2 + template: + metadata: + {{- with .Values.crds.migration.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.crds.migration.podLabels }} + labels: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "kyverno.fullname" . }}-migrate-resources + {{- with .Values.crds.migration.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: kubectl + image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.crds.migration.image "defaultTag" (default .Chart.AppVersion .Values.crds.migration.image.tag))) | quote }} + imagePullPolicy: {{ .Values.crds.migration.image.pullPolicy }} + args: + - migrate + {{- range .Values.crds.migration.resources }} + - --resource + - {{ . }} + {{- end }} + {{- with .Values.crds.migration.podResources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.crds.migration.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.crds.migration.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.crds.migration.tolerations | default .Values.global.tolerations}} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.crds.migration.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if or .Values.crds.migration.podAntiAffinity .Values.crds.migration.podAffinity .Values.crds.migration.nodeAffinity }} + affinity: + {{- with .Values.crds.migration.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.crds.migration.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.crds.migration.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/hooks/pre-delete.yaml b/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml similarity index 63% rename from charts/kyverno/templates/hooks/pre-delete.yaml rename to charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml index f3a167129e..3f3aade859 100644 --- a/charts/kyverno/templates/hooks/pre-delete.yaml +++ b/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml @@ -1,54 +1,65 @@ {{- if .Values.webhooksCleanup.enabled -}} - {{- if not .Values.templating.enabled -}} +{{- if not .Values.templating.enabled -}} apiVersion: batch/v1 kind: Job metadata: - name: {{ template "kyverno.fullname" . }}-hook-pre-delete + name: {{ template "kyverno.fullname" . }}-scale-to-zero namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.hooks.labels" . | nindent 4 }} annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + helm.sh/hook: pre-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "100" spec: backoffLimit: 2 template: + metadata: + {{- with .Values.webhooksCleanup.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webhooksCleanup.podLabels }} + labels: + {{- toYaml . | nindent 8 }} + {{- end }} spec: - serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }} + serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} {{- with .Values.webhooksCleanup.podSecurityContext }} securityContext: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} restartPolicy: Never - {{- with .Values.webhooksCleanup.imagePullSecrets }} - imagePullSecrets: + {{- with .Values.webhooksCleanup.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} containers: - name: kubectl - image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }} + image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }} imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }} command: - - sh + - /bin/bash - '-c' - |- + set -euo pipefail kubectl scale -n {{ template "kyverno.namespace" . }} deployment -l app.kubernetes.io/part-of={{ template "kyverno.fullname" . }} --replicas=0 sleep 30 kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno + {{- with .Values.webhooksCleanup.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} {{- with .Values.webhooksCleanup.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.webhooksCleanup.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.webhooksCleanup.tolerations }} + {{- with .Values.webhooksCleanup.tolerations | default .Values.global.tolerations}} tolerations: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.webhooksCleanup.nodeSelector }} + {{- with .Values.webhooksCleanup.nodeSelector | default .Values.global.nodeSelector }} nodeSelector: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} @@ -67,5 +78,5 @@ spec: {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} {{- end }} - {{- end -}} +{{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/rbac/_helpers.tpl b/charts/kyverno/templates/rbac/_helpers.tpl index e1cc0b1147..b87759d0fb 100644 --- a/charts/kyverno/templates/rbac/_helpers.tpl +++ b/charts/kyverno/templates/rbac/_helpers.tpl @@ -1,19 +1,26 @@ {{/* vim: set filetype=mustache: */}} {{- define "kyverno.rbac.labels.admin" -}} -{{- template "kyverno.labels.merge" (list +{{- $labels := list (include "kyverno.labels.common" .) (include "kyverno.rbac.matchLabels" .) - "rbac.authorization.k8s.io/aggregate-to-admin: 'true'" -) -}} +-}} +{{- if .Values.rbac.roles.aggregate.admin -}} +{{- $labels = append $labels "rbac.authorization.k8s.io/aggregate-to-admin: 'true'" -}} {{- end -}} +{{- template "kyverno.labels.merge" $labels -}} +{{- end -}} + {{- define "kyverno.rbac.labels.view" -}} -{{- template "kyverno.labels.merge" (list +{{- $labels := list (include "kyverno.labels.common" .) (include "kyverno.rbac.matchLabels" .) - "rbac.authorization.k8s.io/aggregate-to-view: 'true'" -) -}} +-}} +{{- if .Values.rbac.roles.aggregate.view -}} +{{- $labels = append $labels "rbac.authorization.k8s.io/aggregate-to-view: 'true'" -}} +{{- end -}} +{{- template "kyverno.labels.merge" $labels -}} {{- end -}} {{- define "kyverno.rbac.matchLabels" -}} diff --git a/charts/kyverno/templates/rbac/reports.yaml b/charts/kyverno/templates/rbac/reports.yaml index d14529bfb4..89ea5dc4f8 100644 --- a/charts/kyverno/templates/rbac/reports.yaml +++ b/charts/kyverno/templates/rbac/reports.yaml @@ -7,12 +7,10 @@ metadata: {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} rules: - apiGroups: - - kyverno.io + - reports.kyverno.io resources: - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports + - ephemeralreports + - clusterephemeralreports verbs: - create - delete @@ -30,14 +28,12 @@ metadata: {{- include "kyverno.rbac.labels.view" . | nindent 4 }} rules: - apiGroups: - - kyverno.io + - reports.kyverno.io resources: - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports + - ephemeralreports + - clusterephemeralreports verbs: - get - list - watch -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/kyverno/templates/reports-controller/_helpers.tpl b/charts/kyverno/templates/reports-controller/_helpers.tpl index d5fd852be1..fe8e41e8ad 100644 --- a/charts/kyverno/templates/reports-controller/_helpers.tpl +++ b/charts/kyverno/templates/reports-controller/_helpers.tpl @@ -19,7 +19,7 @@ {{- end -}} {{- define "kyverno.reports-controller.image" -}} -{{- $imageRegistry := default .image.registry .globalRegistry -}} +{{- $imageRegistry := default (default .image.defaultRegistry .globalRegistry) .image.registry -}} {{- if $imageRegistry -}} {{ $imageRegistry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} {{- else -}} @@ -38,3 +38,7 @@ {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.reportsController.rbac.serviceAccount.name }} {{- end -}} {{- end -}} + +{{- define "kyverno.reports-controller.caCertificatesConfigMapName" -}} +{{ printf "%s-ca-certificates" (include "kyverno.reports-controller.name" .) }} +{{- end -}} diff --git a/charts/kyverno/templates/reports-controller/clusterrole.yaml b/charts/kyverno/templates/reports-controller/clusterrole.yaml index 14010466ca..2f74f29ae5 100644 --- a/charts/kyverno/templates/reports-controller/clusterrole.yaml +++ b/charts/kyverno/templates/reports-controller/clusterrole.yaml @@ -8,6 +8,8 @@ metadata: {{- include "kyverno.reports-controller.labels" . | nindent 4 }} aggregationRule: clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" - matchLabels: {{- include "kyverno.reports-controller.matchLabels" . | nindent 8 }} --- @@ -19,9 +21,16 @@ metadata: {{- include "kyverno.reports-controller.labels" . | nindent 4 }} rules: - apiGroups: - - '*' + - apiextensions.k8s.io resources: - - '*' + - customresourcedefinitions + verbs: + - get + - apiGroups: + - '' + resources: + - configmaps + - namespaces verbs: - get - list @@ -29,10 +38,50 @@ rules: - apiGroups: - kyverno.io resources: - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports + - globalcontextentries + - globalcontextentries/status + - policyexceptions + - policies + - clusterpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - policies.kyverno.io + resources: + - validatingpolicies + - validatingpolicies/status + - imagevalidatingpolicies + - imagevalidatingpolicies/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - policies.kyverno.io + resources: + - policyexceptions + - policyexceptions/status + verbs: + - get + - list + - watch + - apiGroups: + - reports.kyverno.io + resources: + - ephemeralreports + - clusterephemeralreports verbs: - create - delete @@ -66,6 +115,9 @@ rules: verbs: - create - patch +{{- with .Values.reportsController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- with .Values.reportsController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml b/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml index 58742e6de8..a2b760085f 100644 --- a/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml +++ b/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml @@ -14,5 +14,22 @@ subjects: - kind: ServiceAccount name: {{ template "kyverno.reports-controller.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} +{{- if .Values.reportsController.rbac.createViewRoleBinding }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.reports-controller.roleName" . }}:view + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.reportsController.rbac.viewRoleName }} +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.reports-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/reports-controller/configmap.yaml b/charts/kyverno/templates/reports-controller/configmap.yaml new file mode 100644 index 0000000000..ad23aa802e --- /dev/null +++ b/charts/kyverno/templates/reports-controller/configmap.yaml @@ -0,0 +1,12 @@ +{{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kyverno.reports-controller.caCertificatesConfigMapName" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +data: + ca-certificates: | + {{ .Values.reportsController.caCertificates.data | default .Values.global.caCertificates.data | indent 4 | trim }} +{{- end -}} diff --git a/charts/kyverno/templates/reports-controller/deployment.yaml b/charts/kyverno/templates/reports-controller/deployment.yaml index cdaa8c0dbc..f674c4512d 100644 --- a/charts/kyverno/templates/reports-controller/deployment.yaml +++ b/charts/kyverno/templates/reports-controller/deployment.yaml @@ -7,8 +7,13 @@ metadata: namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.reports-controller.labels" . | nindent 4 }} + {{- with .Values.reportsController.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} spec: replicas: {{ template "kyverno.deployment.replicas" .Values.reportsController.replicas }} + revisionHistoryLimit: {{ .Values.reportsController.revisionHistoryLimit }} {{- with .Values.reportsController.updateStrategy }} strategy: {{- toYaml . | nindent 4 }} @@ -27,19 +32,19 @@ spec: annotations: {{ tpl (toYaml .) $ | nindent 8 }} {{- end }} spec: - {{- with .Values.reportsController.imagePullSecrets }} - imagePullSecrets: + {{- with .Values.reportsController.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- with .Values.reportsController.podSecurityContext }} securityContext: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.reportsController.nodeSelector }} + {{- with .Values.reportsController.nodeSelector | default .Values.global.nodeSelector }} nodeSelector: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.reportsController.tolerations }} + {{- with .Values.reportsController.tolerations | default .Values.global.tolerations}} tolerations: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} @@ -56,6 +61,10 @@ spec: {{- with .Values.reportsController.dnsPolicy }} dnsPolicy: {{ . }} {{- end }} + {{- with .Values.reportsController.dnsConfig }} + dnsConfig: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} {{- if or .Values.reportsController.antiAffinity.enabled .Values.reportsController.podAffinity .Values.reportsController.nodeAffinity }} affinity: {{- if .Values.reportsController.antiAffinity.enabled }} @@ -76,15 +85,20 @@ spec: serviceAccountName: {{ template "kyverno.reports-controller.serviceAccountName" . }} containers: - name: controller - image: {{ include "kyverno.reports-controller.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.reportsController.image "defaultTag" .Chart.AppVersion) | quote }} + image: {{ include "kyverno.reports-controller.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.reportsController.image "defaultTag" .Chart.AppVersion) | quote }} imagePullPolicy: {{ .Values.reportsController.image.pullPolicy }} ports: - - containerPort: 9443 + - containerPort: {{ .Values.reportsController.server.port }} name: https protocol: TCP - - containerPort: 8000 + - containerPort: {{ .Values.reportsController.metering.port }} name: metrics protocol: TCP + {{ if .Values.reportsController.profiling.enabled }} + - containerPort: {{ .Values.reportsController.profiling.port }} + name: profiling-port + protocol: TCP + {{- end }} args: {{- if .Values.reportsController.tracing.enabled }} - --enableTracing @@ -108,7 +122,9 @@ spec: {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }} - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }} {{- end }} - {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.reportsController.featuresOverride) + - --resyncPeriod={{ .Values.reportsController.resyncPeriod | default .Values.global.resyncPeriod }} + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.reportsController.featuresOverride) + "reporting" "admissionReports" "aggregateReports" "policyReports" @@ -116,10 +132,10 @@ spec: "backgroundScan" "configMapCaching" "deferredLoading" + "globalContext" "logging" "omitEvents" "policyExceptions" - "reports" "registryClient" "tuf" ) | nindent 12 }} @@ -128,6 +144,13 @@ spec: - --{{ $key }}={{ $value }} {{- end }} {{- end }} + {{- if .Values.reportsController.profiling.enabled }} + - --profile=true + - --profilePort={{ .Values.reportsController.profiling.port }} + {{- end }} + {{- if not .Values.reportsController.sanityChecks }} + - --reportsCRDsSanityChecks=false + {{- end }} env: - name: KYVERNO_SERVICEACCOUNT_NAME value: {{ template "kyverno.reports-controller.serviceAccountName" . }} @@ -147,7 +170,7 @@ spec: fieldPath: metadata.namespace - name: TUF_ROOT value: {{ .Values.reportsController.tufRootMountPath }} - {{- with .Values.reportsController.extraEnvVars }} + {{- with (concat .Values.global.extraEnvVars .Values.reportsController.extraEnvVars) }} {{- toYaml . | nindent 10 }} {{- end }} {{- with .Values.reportsController.resources }} @@ -161,8 +184,28 @@ spec: volumeMounts: - mountPath: {{ .Values.reportsController.tufRootMountPath }} name: sigstore + {{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data .Values.reportsController.caCertificates.volume .Values.global.caCertificates.volume }} + - name: ca-certificates + mountPath: /etc/ssl/certs/ca-certificates.crt + {{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data }} + subPath: ca-certificates.crt + {{- end }} + {{- end }} volumes: - name: sigstore {{- toYaml (required "A valid .Values.reportsController.sigstoreVolume entry is required" .Values.reportsController.sigstoreVolume) | nindent 8 }} + {{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data }} + - name: ca-certificates + configMap: + name: {{ include "kyverno.reports-controller.caCertificatesConfigMapName" . }} + items: + - key: ca-certificates + path: ca-certificates.crt + {{- else if or .Values.reportsController.caCertificates.volume .Values.global.caCertificates.volume }} + {{- with (.Values.reportsController.caCertificates.volume | default .Values.global.caCertificates.volume) }} + - name: ca-certificates + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/reports-controller/flowschema.yaml b/charts/kyverno/templates/reports-controller/flowschema.yaml index fa2e9d1986..7dbd98a07e 100644 --- a/charts/kyverno/templates/reports-controller/flowschema.yaml +++ b/charts/kyverno/templates/reports-controller/flowschema.yaml @@ -21,11 +21,10 @@ spec: - list - watch - apiGroups: - - kyverno.io + - reports.kyverno.io clusterScope: true resources: - - clusteradmissionreports - - clusterbackgroundscanreports + - clusterephemeralreports verbs: - create - delete @@ -36,12 +35,11 @@ spec: - watch - deletecollection - apiGroups: - - kyverno.io + - reports.kyverno.io namespaces: - '*' resources: - - admissionreports - - backgroundscanreports + - ephemeralreports verbs: - create - delete @@ -119,4 +117,4 @@ spec: serviceAccount: name: {{ template "kyverno.reports-controller.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kyverno/templates/reports-controller/role.yaml b/charts/kyverno/templates/reports-controller/role.yaml index 5c1b5c07da..6b163b7561 100644 --- a/charts/kyverno/templates/reports-controller/role.yaml +++ b/charts/kyverno/templates/reports-controller/role.yaml @@ -19,6 +19,14 @@ rules: resourceNames: - {{ include "kyverno.config.configMapName" . }} - {{ include "kyverno.config.metricsConfigMapName" . }} + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch - apiGroups: - coordination.k8s.io resources: diff --git a/charts/kyverno/templates/reports-controller/service.yaml b/charts/kyverno/templates/reports-controller/service.yaml index 6eee2170d1..34fdfeee6d 100644 --- a/charts/kyverno/templates/reports-controller/service.yaml +++ b/charts/kyverno/templates/reports-controller/service.yaml @@ -1,5 +1,6 @@ {{- if .Values.reportsController.enabled -}} {{- if .Values.reportsController.metricsService.create -}} +--- apiVersion: v1 kind: Service metadata: @@ -14,7 +15,7 @@ metadata: spec: ports: - port: {{ .Values.reportsController.metricsService.port }} - targetPort: 8000 + targetPort: {{ .Values.reportsController.metering.port }} protocol: TCP name: metrics-port {{- if and (eq .Values.reportsController.metricsService.type "NodePort") (not (empty .Values.reportsController.metricsService.nodePort)) }} @@ -25,3 +26,25 @@ spec: type: {{ .Values.reportsController.metricsService.type }} {{- end -}} {{- end -}} +{{- if .Values.reportsController.profiling.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.reports-controller.name" . }}-profiling + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.reportsController.profiling.port }} + targetPort: {{ .Values.reportsController.profiling.port }} + protocol: TCP + name: profiling-port + {{- if and (eq .Values.reportsController.profiling.serviceType "NodePort") (not (empty .Values.reportsController.profiling.nodePort)) }} + nodePort: {{ .Values.reportsController.profiling.nodePort }} + {{- end }} + selector: + {{- include "kyverno.reports-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.reportsController.profiling.serviceType }} +{{- end -}} diff --git a/charts/kyverno/templates/tests/admission-controller-liveness.yaml b/charts/kyverno/templates/tests/admission-controller-liveness.yaml index 97c671a86f..756a3092b5 100644 --- a/charts/kyverno/templates/tests/admission-controller-liveness.yaml +++ b/charts/kyverno/templates/tests/admission-controller-liveness.yaml @@ -1,3 +1,4 @@ +{{- if .Values.admissionController.enabled -}} apiVersion: v1 kind: Pod metadata: @@ -9,6 +10,10 @@ metadata: {{- include "kyverno.test.annotations" . | nindent 4 }} spec: restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} containers: - name: test image: {{ template "kyverno.test.image" . }} @@ -24,4 +29,5 @@ spec: command: - /bin/sh - -c - - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.service.port }}/health/liveness + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.service.port }}/health/liveness +{{- end -}} \ No newline at end of file diff --git a/charts/kyverno/templates/tests/admission-controller-metrics.yaml b/charts/kyverno/templates/tests/admission-controller-metrics.yaml index 514a6c2621..44d6c6aa49 100644 --- a/charts/kyverno/templates/tests/admission-controller-metrics.yaml +++ b/charts/kyverno/templates/tests/admission-controller-metrics.yaml @@ -10,6 +10,10 @@ metadata: {{- include "kyverno.test.annotations" . | nindent 4 }} spec: restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} containers: - name: test image: {{ template "kyverno.test.image" . }} @@ -25,5 +29,5 @@ spec: command: - /bin/sh - -c - - sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.admission-controller.serviceName" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.metricsService.port }}/metrics + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate http://{{ template "kyverno.admission-controller.serviceName" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.metricsService.port }}/metrics {{- end -}} diff --git a/charts/kyverno/templates/tests/admission-controller-readiness.yaml b/charts/kyverno/templates/tests/admission-controller-readiness.yaml index fb1d34a088..093a0a28ae 100644 --- a/charts/kyverno/templates/tests/admission-controller-readiness.yaml +++ b/charts/kyverno/templates/tests/admission-controller-readiness.yaml @@ -1,3 +1,4 @@ +{{- if .Values.admissionController.enabled -}} apiVersion: v1 kind: Pod metadata: @@ -9,6 +10,10 @@ metadata: {{- include "kyverno.test.annotations" . | nindent 4 }} spec: restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} containers: - name: test image: {{ template "kyverno.test.image" . }} @@ -24,4 +29,5 @@ spec: command: - /bin/sh - -c - - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.service.port }}/health/readiness + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.service.port }}/health/readiness +{{- end -}} \ No newline at end of file diff --git a/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml b/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml index 21b44011de..a667f6b20a 100644 --- a/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml +++ b/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml @@ -10,6 +10,10 @@ metadata: {{- include "kyverno.test.annotations" . | nindent 4 }} spec: restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} containers: - name: test image: {{ template "kyverno.test.image" . }} @@ -25,5 +29,5 @@ spec: command: - /bin/sh - -c - - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.service.port }}/health/liveness + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate https://{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.service.port }}/health/liveness {{- end -}} diff --git a/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml b/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml index c3cd51961f..080d7e8137 100644 --- a/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml +++ b/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml @@ -10,6 +10,10 @@ metadata: {{- include "kyverno.test.annotations" . | nindent 4 }} spec: restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} containers: - name: test image: {{ template "kyverno.test.image" . }} @@ -25,5 +29,5 @@ spec: command: - /bin/sh - -c - - sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.cleanup-controller.name" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.metricsService.port }}/metrics + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate http://{{ template "kyverno.cleanup-controller.name" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.metricsService.port }}/metrics {{- end -}} diff --git a/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml b/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml index 17752a3a34..e5ef16e435 100644 --- a/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml +++ b/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml @@ -10,6 +10,10 @@ metadata: {{- include "kyverno.test.annotations" . | nindent 4 }} spec: restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} containers: - name: test image: {{ template "kyverno.test.image" . }} @@ -25,5 +29,5 @@ spec: command: - /bin/sh - -c - - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.service.port }}/health/readiness + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate https://{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.service.port }}/health/readiness {{- end -}} diff --git a/charts/kyverno/templates/tests/reports-controller-metrics.yaml b/charts/kyverno/templates/tests/reports-controller-metrics.yaml index ecc3be9b41..386e11f3f0 100644 --- a/charts/kyverno/templates/tests/reports-controller-metrics.yaml +++ b/charts/kyverno/templates/tests/reports-controller-metrics.yaml @@ -10,6 +10,10 @@ metadata: {{- include "kyverno.test.annotations" . | nindent 4 }} spec: restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} containers: - name: test image: {{ template "kyverno.test.image" . }} @@ -25,5 +29,5 @@ spec: command: - /bin/sh - -c - - sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.reports-controller.name" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.reportsController.metricsService.port }}/metrics + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate http://{{ template "kyverno.reports-controller.name" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.reportsController.metricsService.port }}/metrics {{- end -}} diff --git a/charts/kyverno/templates/validate.yaml b/charts/kyverno/templates/validate.yaml index fab8dd8de6..aabd3359b2 100644 --- a/charts/kyverno/templates/validate.yaml +++ b/charts/kyverno/templates/validate.yaml @@ -1,13 +1,26 @@ +{{- if and (eq .Values.cleanupController.enabled true) (eq .Values.crds.groups.kyverno.cleanuppolicies false) }} +{{- fail "CRD cleanuppolicies disabled while cleanupController enabled" }} +{{- end }} +{{- if and (eq .Values.cleanupController.enabled true) (eq .Values.crds.groups.kyverno.clustercleanuppolicies false) }} +{{- fail "CRD clustercleanuppolicies disabled while cleanupController enabled" }} +{{- end }} +{{- if and (eq .Values.reportsController.enabled true) (eq .Values.reportsController.sanityChecks true) (eq .Values.crds.groups.wgpolicyk8s.clusterpolicyreports false) }} +{{- fail "CRD clusterpolicyreports disabled while reportsController enabled" }} +{{- end }} +{{- if and (eq .Values.reportsController.enabled true) (eq .Values.reportsController.sanityChecks true) (eq .Values.crds.groups.wgpolicyk8s.policyreports false) }} +{{- fail "CRD policyreports disabled while reportsController enabled" }} +{{- end }} +{{- if and (eq .Values.reportsController.enabled true) (eq .Values.reportsController.sanityChecks true) (eq .Values.crds.groups.reports.ephemeralreports false) }} +{{- fail "CRD ephemeralreports disabled while reportsController enabled" }} +{{- end }} +{{- if and (eq .Values.reportsController.enabled true) (eq .Values.reportsController.sanityChecks true) (eq .Values.crds.groups.reports.clusterephemeralreports false) }} +{{- fail "CRD clusterephemeralreports disabled while reportsController enabled" }} +{{- end }} + {{- if hasKey .Values "mode" -}} {{- fail "mode is not supported anymore, please remove it from your release and use admissionController.replicas instead." -}} {{- end -}} -{{- if .Values.admissionController.replicas -}} - {{- if eq (int .Values.admissionController.replicas) 2 -}} - {{- fail "Kyverno does not support running with 2 replicas. For a highly-available deployment, select 3 replicas or for standalone select 1 replica." -}} - {{- end -}} -{{- end -}} - {{- if eq (include "kyverno.namespace" .) "kube-system" -}} {{- fail "Kyverno cannot be installed in namespace kube-system." -}} {{- end -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index cbb870bec1..d793c5550c 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -6,10 +6,45 @@ templating: version: ~ global: + image: # -- (string) Global value that allows to set a single image registry across all deployments. # When set, it will override any values set under `.image.registry` across the chart. registry: ~ + # -- (list) Global list of Image pull secrets + # When set, it will override any values set under `imagePullSecrets` under different components across the chart. + imagePullSecrets: [] + + # -- Resync period for informers + resyncPeriod: 15m + + caCertificates: + # -- Global CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + # Individual controller values will override this global value + data: ~ + + # -- Global value to set single volume to be mounted for CA certificates for all deployments. + # Not used when `.Values.global.caCertificates.data` is defined + # Individual controller values will override this global value + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File + + # -- Additional container environment variables to apply to all containers and init containers + extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' + + # -- Global node labels for pod assignment. Non-global values will override the global value. + nodeSelector: {} + + # -- Global List of node taints to tolerate. Non-global values will override the global value. + tolerations: [] # -- (string) Override the name of the chart nameOverride: ~ @@ -30,12 +65,48 @@ apiVersionOverride: # determine the api version automatically. podDisruptionBudget: ~ +rbac: + roles: + # -- Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) + aggregate: + admin: true + view: true + # CRDs configuration crds: # -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created install: true + groups: + + # -- Install CRDs in group `kyverno.io` + kyverno: + cleanuppolicies: true + clustercleanuppolicies: true + clusterpolicies: true + globalcontextentries: true + policies: true + policyexceptions: true + updaterequests: true + validatingpolicies: true + + # -- Install CRDs in group `policies.kyverno.io` + policies: + validatingpolicies: true + policyexceptions: true + imagevalidatingpolicies: true + + # -- Install CRDs in group `reports.kyverno.io` + reports: + clusterephemeralreports: true + ephemeralreports: true + + # -- Install CRDs in group `wgpolicyk8s.io` + wgpolicyk8s: + clusterpolicyreports: true + policyreports: true + # -- Additional CRDs annotations annotations: {} # argocd.argoproj.io/sync-options: Replace=true @@ -44,12 +115,94 @@ crds: # -- Additional CRDs labels customLabels: {} + migration: + + # -- Enable CRDs migration using helm post upgrade hook + enabled: true + + # -- Resources to migrate + resources: + - cleanuppolicies.kyverno.io + - clustercleanuppolicies.kyverno.io + - clusterpolicies.kyverno.io + - globalcontextentries.kyverno.io + - policies.kyverno.io + - policyexceptions.kyverno.io + - updaterequests.kyverno.io + + image: + # -- (string) Image registry + registry: ~ + defaultRegistry: reg.kyverno.io + # -- (string) Image repository + repository: kyverno/kyverno-cli + # -- (string) Image tag + # Defaults to appVersion in Chart.yaml if omitted + tag: ~ + # -- (string) Image pull policy + pullPolicy: IfNotPresent + + # -- Image pull secrets + imagePullSecrets: [] + # - name: secretName + + # -- Security context for the pod + podSecurityContext: {} + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + # -- Pod anti affinity constraints. + podAntiAffinity: {} + + # -- Pod affinity constraints. + podAffinity: {} + + # -- Pod labels. + podLabels: {} + + # -- Pod annotations. + podAnnotations: {} + + # -- Node affinity constraints. + nodeAffinity: {} + + # -- Security context for the hook containers + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + podResources: + # -- Pod resource limits + limits: + cpu: 100m + memory: 256Mi + # -- Pod resource requests + requests: + cpu: 10m + memory: 64Mi + # Configuration config: # -- Create the configmap. create: true + # -- Preserve the configmap settings during upgrade. + preserve: true + # -- (string) The configmap name (required if `create` is `false`). name: ~ @@ -99,14 +252,8 @@ config: - '[Pod/binding,*,*]' - '[ReplicaSet,*,*]' - '[ReplicaSet/*,*,*]' - - '[AdmissionReport,*,*]' - - '[AdmissionReport/*,*,*]' - - '[ClusterAdmissionReport,*,*]' - - '[ClusterAdmissionReport/*,*,*]' - - '[BackgroundScanReport,*,*]' - - '[BackgroundScanReport/*,*,*]' - - '[ClusterBackgroundScanReport,*,*]' - - '[ClusterBackgroundScanReport/*,*,*]' + - '[EphemeralReport,*,*]' + - '[ClusterEphemeralReport,*,*]' # exclude resources from the chart - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]' - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]' @@ -195,19 +342,19 @@ config: - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]' - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]' - # -- Defines the `namespaceSelector` in the webhook configurations. - # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element - # will be forwarded to the webhook configurations. + # -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. + updateRequestThreshold: 1000 + + # -- Defines the `namespaceSelector`/`objectSelector` in the webhook configurations. # The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) - webhooks: [] + webhooks: # Exclude namespaces - # - namespaceSelector: - # matchExpressions: - # - key: kubernetes.io/metadata.name - # operator: NotIn - # values: - # - kube-system - # - kyverno + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system # Exclude objects # - objectSelector: # matchExpressions: @@ -215,9 +362,14 @@ config: # operator: DoesNotExist # -- Defines annotations to set on webhook configurations. - webhookAnnotations: {} + webhookAnnotations: # Example to disable admission enforcer on AKS: - # 'admissions.enforcer/disabled': 'true' + 'admissions.enforcer/disabled': 'true' + + # -- Defines labels to set on webhook configurations. + webhookLabels: {} + # Example to adopt webhook resources in ArgoCD: + # 'argocd.argoproj.io/instance': 'kyverno' # -- Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+). matchConditions: [] @@ -230,6 +382,18 @@ config: # Namespaces to exclude from the default resourceFilters resourceFiltersExcludeNamespaces: [] + # -- resourceFilters exclude list + # Items to exclude from config.resourceFilters + resourceFiltersExclude: [] + + # -- resourceFilter namespace include + # Namespaces to include to the default resourceFilters + resourceFiltersIncludeNamespaces: [] + + # -- resourceFilters include list + # Items to include to config.resourceFilters + resourceFiltersInclude: [] + # Metrics configuration metricsConfig: @@ -258,13 +422,21 @@ metricsConfig: bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30] # -- (map) Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller - metricsExposure: ~ - # metricsExposure: - # kyverno_policy_execution_duration_seconds: - # disabledLabelDimensions: ["resource_kind", "resource_namespace", "resource_request_operation"] - # bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5] - # kyverno_admission_review_duration_seconds: - # enabled: false + metricsExposure: + kyverno_policy_execution_duration_seconds: + # bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5] + disabledLabelDimensions: ["resource_namespace", "resource_request_operation"] + kyverno_admission_review_duration_seconds: + # enabled: false + disabledLabelDimensions: ["resource_namespace"] + kyverno_policy_rule_info_total: + disabledLabelDimensions: ["resource_namespace", "policy_namespace"] + kyverno_policy_results_total: + disabledLabelDimensions: ["resource_namespace", "policy_namespace"] + kyverno_admission_requests_total: + disabledLabelDimensions: ["resource_namespace"] + kyverno_cleanup_controller_deletedobjects_total: + disabledLabelDimensions: ["resource_namespace", "policy_namespace"] # -- Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument imagePullSecrets: {} @@ -284,6 +456,8 @@ existingImagePullSecrets: [] # Tests configuration test: + # -- Sleep time before running test + sleep: 20 image: # -- (string) Image registry @@ -297,6 +471,10 @@ test: # Defaults to image.pullPolicy if omitted pullPolicy: ~ + # -- Image pull secrets + imagePullSecrets: [] + # - name: secretName + resources: # -- Pod resource limits limits: @@ -328,6 +506,10 @@ webhooksCleanup: # -- Create a helm pre-delete hook to cleanup webhooks. enabled: true + autoDeleteWebhooks: + # -- Allow webhooks controller to delete webhooks using finalizers + enabled: false + image: # -- (string) Image registry registry: ~ @@ -335,7 +517,7 @@ webhooksCleanup: repository: bitnami/kubectl # -- Image tag # Defaults to `latest` if omitted - tag: '1.28.5' + tag: '1.32.3' # -- (string) Image pull policy # Defaults to image.pullPolicy if omitted pullPolicy: ~ @@ -358,19 +540,15 @@ webhooksCleanup: # -- Pod affinity constraints. podAffinity: {} + # -- Pod labels. + podLabels: {} + + # -- Pod annotations. + podAnnotations: {} + # -- Node affinity constraints. nodeAffinity: {} - resources: - # -- Pod resource limits - limits: - cpu: 100m - memory: 256Mi - # -- Pod resource requests - requests: - cpu: 10m - memory: 64Mi - # -- Security context for the hook containers securityContext: runAsUser: 65534 @@ -385,6 +563,16 @@ webhooksCleanup: seccompProfile: type: RuntimeDefault + resources: + # -- Pod resource limits + limits: + cpu: 100m + memory: 256Mi + # -- Pod resource requests + requests: + cpu: 10m + memory: 64Mi + policyReportsCleanup: # -- Create a helm post-upgrade hook to cleanup the old policy reports. enabled: true @@ -396,7 +584,7 @@ policyReportsCleanup: repository: bitnami/kubectl # -- Image tag # Defaults to `latest` if omitted - tag: '1.28.5' + tag: '1.32.3' # -- (string) Image pull policy # Defaults to image.pullPolicy if omitted pullPolicy: ~ @@ -420,19 +608,15 @@ policyReportsCleanup: # -- Pod affinity constraints. podAffinity: {} + # -- Pod labels. + podLabels: {} + + # -- Pod annotations. + podAnnotations: {} + # -- Node affinity constraints. nodeAffinity: {} - resources: - # -- Pod resource limits - limits: - cpu: 100m - memory: 256Mi - # -- Pod resource requests - requests: - cpu: 10m - memory: 64Mi - # -- Security context for the hook containers securityContext: runAsUser: 65534 @@ -447,6 +631,16 @@ policyReportsCleanup: seccompProfile: type: RuntimeDefault + resources: + # -- Pod resource limits + limits: + cpu: 100m + memory: 256Mi + # -- Pod resource requests + requests: + cpu: 10m + memory: 64Mi + grafana: # -- Enable grafana dashboard creation. enabled: false @@ -469,6 +663,8 @@ grafana: # according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/ grafanaDashboard: create: false + folder: kyverno + allowCrossNamespaceImport: true matchLabels: dashboards: "grafana" @@ -486,6 +682,17 @@ features: validatingAdmissionPolicyReports: # -- Enables the feature enabled: false + reporting: + # -- Enables the feature + validate: true + # -- Enables the feature + mutate: true + # -- Enables the feature + mutateExisting: true + # -- Enables the feature + imageVerify: true + # -- Enables the feature + generate: true autoUpdateWebhooks: # -- Enables the feature enabled: true @@ -513,6 +720,12 @@ features: generateValidatingAdmissionPolicy: # -- Enables the feature enabled: false + dumpPatches: + # -- Enables the feature + enabled: false + globalContext: + # -- Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended) + maxApiCallResponseLength: 2000000 logging: # -- Logging format format: text @@ -520,15 +733,16 @@ features: verbosity: 2 omitEvents: # -- Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) - eventTypes: [] + eventTypes: + - PolicyApplied + - PolicySkipped # - PolicyViolation - # - PolicyApplied # - PolicyError - # - PolicySkipped policyExceptions: # -- Enables the feature - enabled: true + enabled: false # -- Restrict policy exceptions to a single namespace + # Set to "*" to allow exceptions in all namespaces namespace: '' protectManagedResources: # -- Enables the feature @@ -543,175 +757,53 @@ features: - amazon - azure - github - reports: - # -- Reports chunk size - chunkSize: 1000 ttlController: # -- Reconciliation interval for the label based cleanup manager reconciliationInterval: 1m tuf: # -- Enables the feature enabled: false - # -- (string) Tuf root + # -- (string) Path to Tuf root root: ~ + # -- (string) Raw Tuf root + rootRaw: ~ # -- (string) Tuf mirror mirror: ~ -# Cleanup cronjobs to prevent internal resources from stacking up in the cluster -cleanupJobs: - - admissionReports: - - # -- Enable cleanup cronjob - enabled: true - - image: - # -- (string) Image registry - registry: ~ - # -- Image repository - repository: bitnami/kubectl - # -- Image tag - # Defaults to `latest` if omitted - tag: '1.28.5' - # -- (string) Image pull policy - # Defaults to image.pullPolicy if omitted - pullPolicy: ~ - - # -- Image pull secrets - imagePullSecrets: [] - # - name: secretName - - # -- Cronjob schedule - schedule: '*/10 * * * *' - - # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them - threshold: 10000 - - # -- Cronjob history - history: - success: 1 - failure: 1 - - # -- Security context for the pod - podSecurityContext: {} - - # -- Security context for the containers - securityContext: - runAsNonRoot: true - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - - # -- Job resources - resources: {} - - # -- List of node taints to tolerate - tolerations: [] - - # -- Node labels for pod assignment - nodeSelector: {} - - # -- Pod Annotations - podAnnotations: {} - - # -- Pod labels - podLabels: {} - - # -- Pod anti affinity constraints. - podAntiAffinity: {} - - # -- Pod affinity constraints. - podAffinity: {} - - # -- Node affinity constraints. - nodeAffinity: {} - - clusterAdmissionReports: - - # -- Enable cleanup cronjob - enabled: true - - image: - # -- (string) Image registry - registry: ~ - # -- Image repository - repository: bitnami/kubectl - # -- Image tag - # Defaults to `latest` if omitted - tag: '1.28.5' - # -- (string) Image pull policy - # Defaults to image.pullPolicy if omitted - pullPolicy: ~ - - # -- Image pull secrets - imagePullSecrets: [] - # - name: secretName - - # -- Cronjob schedule - schedule: '*/10 * * * *' - - # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them - threshold: 10000 - - # -- Cronjob history - history: - success: 1 - failure: 1 - - # -- Security context for the pod - podSecurityContext: {} - - # -- Security context for the containers - securityContext: - runAsNonRoot: true - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - - # -- Job resources - resources: {} - - # -- List of node taints to tolerate - tolerations: [] - - # -- Node labels for pod assignment - nodeSelector: {} - - # -- Pod Annotations - podAnnotations: {} - - # -- Pod Labels - podLabels: {} +# Admission controller configuration +admissionController: + autoscaling: + # -- Enable horizontal pod autoscaling + enabled: false - # -- Pod anti affinity constraints. - podAntiAffinity: {} + # -- Minimum number of pods + minReplicas: 1 - # -- Pod affinity constraints. - podAffinity: {} + # -- Maximum number of pods + maxReplicas: 10 - # -- Node affinity constraints. - nodeAffinity: {} + # -- Target CPU utilization percentage + targetCPUUtilizationPercentage: 80 -# Admission controller configuration -admissionController: + # -- Configurable scaling behavior + behavior: {} # -- Overrides features defined at the root level - featuresOverride: {} + featuresOverride: + admissionReports: + # -- Max number of admission reports allowed in flight until the admission controller stops creating new ones + backPressureThreshold: 1000 rbac: # -- Create RBAC resources create: true + # -- Create rolebinding to view role + createViewRoleBinding: true + + # -- The view role to use in the rolebinding + viewRoleName: view + serviceAccount: # -- The ServiceAccount name name: @@ -720,6 +812,12 @@ admissionController: annotations: {} # example.com/annotation: value + coreClusterRole: + # -- Extra resource permissions to add in the core cluster role. + # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. + # @default -- See [values.yaml](values.yaml) + extraResources: [] + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] @@ -739,6 +837,12 @@ admissionController: # -- (int) Desired number of pods replicas: ~ + # -- The number of revisions to keep + revisionHistoryLimit: 10 + + # -- Resync period for informers + resyncPeriod: 15m + # -- Additional labels to add to each pod podLabels: {} # example.com/label: foo @@ -747,6 +851,9 @@ admissionController: podAnnotations: {} # example.com/annotation: foo + # -- Deployment annotations. + annotations: {} + # -- Deployment update strategy. # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy # @default -- See [values.yaml](values.yaml) @@ -782,11 +889,23 @@ admissionController: # Update the `dnsPolicy` accordingly as well to suit the host network mode. hostNetwork: false + # -- admissionController webhook server port + # in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to + webhookServer: + port: 9443 + # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. dnsPolicy: ClusterFirst + # -- `dnsConfig` allows to specify DNS configuration for the pod. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. + dnsConfig: {} + # options: + # - name: ndots + # value: "2" + # -- Startup probe. # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ @@ -885,6 +1004,18 @@ admissionController: sigstoreVolume: emptyDir: {} + caCertificates: + # -- CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + data: ~ + # -- Volume to be mounted for CA certificates + # Not used when `.Values.admissionController.caCertificates.data` is defined + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File + # -- Image pull secrets imagePullSecrets: [] # - secretName @@ -893,7 +1024,8 @@ admissionController: image: # -- Image registry - registry: ghcr.io + registry: ~ + defaultRegistry: reg.kyverno.io # -- Image repository repository: kyverno/kyvernopre # -- (string) Image tag @@ -930,12 +1062,17 @@ admissionController: # -- Additional container environment variables. extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' container: image: # -- Image registry - registry: ghcr.io + registry: ~ + defaultRegistry: reg.kyverno.io # -- Image repository repository: kyverno/kyverno # -- (string) Image tag @@ -970,6 +1107,10 @@ admissionController: # -- Additional container environment variables. extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' # -- Array of extra init containers extraInitContainers: [] @@ -1057,6 +1198,17 @@ admissionController: # -- Otel collector credentials creds: '' + profiling: + # -- Enable profiling + enabled: false + # -- Profiling endpoint port + port: 6060 + # -- Service type. + serviceType: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + # Background controller configuration backgroundController: @@ -1070,6 +1222,12 @@ backgroundController: # -- Create RBAC resources create: true + # -- Create rolebinding to view role + createViewRoleBinding: true + + # -- The view role to use in the rolebinding + viewRoleName: view + serviceAccount: # -- Service account name name: @@ -1083,14 +1241,6 @@ backgroundController: # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. # @default -- See [values.yaml](values.yaml) extraResources: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - apiGroups: - networking.k8s.io resources: @@ -1116,7 +1266,6 @@ backgroundController: - '' resources: - configmaps - - secrets - resourcequotas - limitranges verbs: @@ -1140,7 +1289,8 @@ backgroundController: image: # -- Image registry - registry: ghcr.io + registry: ~ + defaultRegistry: reg.kyverno.io # -- Image repository repository: kyverno/background-controller # -- Image tag @@ -1156,6 +1306,12 @@ backgroundController: # -- (int) Desired number of pods replicas: ~ + # -- The number of revisions to keep + revisionHistoryLimit: 10 + + # -- Resync period for informers + resyncPeriod: 15m + # -- Additional labels to add to each pod podLabels: {} # example.com/label: foo @@ -1164,6 +1320,9 @@ backgroundController: podAnnotations: {} # example.com/annotation: foo + # -- Deployment annotations. + annotations: {} + # -- Deployment update strategy. # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy # @default -- See [values.yaml](values.yaml) @@ -1186,11 +1345,22 @@ backgroundController: # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. dnsPolicy: ClusterFirst + # -- `dnsConfig` allows to specify DNS configuration for the pod. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. + dnsConfig: {} + # options: + # - name: ndots + # value: "2" + # -- Extra arguments passed to the container on the command line extraArgs: {} # -- Additional container environment variables. extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' resources: # -- Pod resource limits @@ -1261,6 +1431,18 @@ backgroundController: # Cannot be used if `minAvailable` is set. maxUnavailable: + caCertificates: + # -- CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + data: ~ + # -- Volume to be mounted for CA certificates + # Not used when `.Values.backgroundController.caCertificates.data` is defined + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File + metricsService: # -- Create service. create: true @@ -1326,6 +1508,22 @@ backgroundController: # -- Otel collector credentials creds: '' + # -- backgroundController server port + # in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to + server: + port: 9443 + + profiling: + # -- Enable profiling + enabled: false + # -- Profiling endpoint port + port: 6060 + # -- Service type. + serviceType: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + # Cleanup controller configuration cleanupController: @@ -1365,7 +1563,8 @@ cleanupController: image: # -- Image registry - registry: ghcr.io + registry: ~ + defaultRegistry: reg.kyverno.io # -- Image repository repository: kyverno/cleanup-controller # -- (string) Image tag @@ -1381,6 +1580,12 @@ cleanupController: # -- (int) Desired number of pods replicas: ~ + # -- The number of revisions to keep + revisionHistoryLimit: 10 + + # -- Resync period for informers + resyncPeriod: 15m + # -- Additional labels to add to each pod podLabels: {} # example.com/label: foo @@ -1389,6 +1594,9 @@ cleanupController: podAnnotations: {} # example.com/annotation: foo + # -- Deployment annotations. + annotations: {} + # -- Deployment update strategy. # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy # @default -- See [values.yaml](values.yaml) @@ -1406,16 +1614,36 @@ cleanupController: # Update the `dnsPolicy` accordingly as well to suit the host network mode. hostNetwork: false + # -- cleanupController server port + # in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to + server: + port: 9443 + # -- cleanupController webhook server port + # in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to + webhookServer: + port: 9443 + # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. dnsPolicy: ClusterFirst + # -- `dnsConfig` allows to specify DNS configuration for the pod. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. + dnsConfig: {} + # options: + # - name: ndots + # value: "2" + # -- Extra arguments passed to the container on the command line extraArgs: {} # -- Additional container environment variables. extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' resources: # -- Pod resource limits @@ -1605,6 +1833,17 @@ cleanupController: # -- Otel collector credentials creds: '' + profiling: + # -- Enable profiling + enabled: false + # -- Profiling endpoint port + port: 6060 + # -- Service type. + serviceType: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + # Reports controller configuration reportsController: @@ -1618,6 +1857,12 @@ reportsController: # -- Create RBAC resources create: true + # -- Create rolebinding to view role + createViewRoleBinding: true + + # -- The view role to use in the rolebinding + viewRoleName: view + serviceAccount: # -- Service account name name: @@ -1626,6 +1871,12 @@ reportsController: annotations: {} # example.com/annotation: value + coreClusterRole: + # -- Extra resource permissions to add in the core cluster role. + # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. + # @default -- See [values.yaml](values.yaml) + extraResources: [] + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] @@ -1636,7 +1887,8 @@ reportsController: image: # -- Image registry - registry: ghcr.io + registry: ~ + defaultRegistry: reg.kyverno.io # -- Image repository repository: kyverno/reports-controller # -- (string) Image tag @@ -1652,6 +1904,12 @@ reportsController: # -- (int) Desired number of pods replicas: ~ + # -- The number of revisions to keep + revisionHistoryLimit: 10 + + # -- Resync period for informers + resyncPeriod: 15m + # -- Additional labels to add to each pod podLabels: {} # example.com/label: foo @@ -1660,6 +1918,9 @@ reportsController: podAnnotations: {} # example.com/annotation: foo + # -- Deployment annotations. + annotations: {} + # -- Deployment update strategy. # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy # @default -- See [values.yaml](values.yaml) @@ -1700,11 +1961,22 @@ reportsController: # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. dnsPolicy: ClusterFirst + # -- `dnsConfig` allows to specify DNS configuration for the pod. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. + dnsConfig: {} + # options: + # - name: ndots + # value: "2" + # -- Extra arguments passed to the container on the command line extraArgs: {} # -- Additional container environment variables. extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' resources: # -- Pod resource limits @@ -1782,6 +2054,19 @@ reportsController: sigstoreVolume: emptyDir: {} + caCertificates: + # -- CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + data: ~ + # -- Volume to be mounted for CA certificates + # Not used when `.Values.reportsController.caCertificates.data` is defined + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File + + metricsService: # -- Create service. create: true @@ -1846,3 +2131,22 @@ reportsController: collector: ~ # -- (string) Otel collector credentials creds: ~ + + # -- reportsController server port + # in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to + server: + port: 9443 + + profiling: + # -- Enable profiling + enabled: false + # -- Profiling endpoint port + port: 6060 + # -- Service type. + serviceType: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + + # -- Enable sanity check for reports CRDs + sanityChecks: true